-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 14 August 2003 06:47, Mathieu Jobin wrote: > If there is a backdoor/rootkit install, maybe someone modify your login > program and now get your rootpasswd somewhere else. Maybe hardcoded in your > login program.
more than maybe: almost definitely. /bin/login trojans are probably one of the most common bits of payload in rootkits. humourously, the script kiddies often screw up and even manage to do things that render a machine unable to log a user in... i remember one login trojan that had an error where the first time you'd type in the username it would just ignore it and ask for your username again (no password prompt in between). this was, of course, a dead giveaway... > I dont remember the exact option, since i didnt use RPM last few years, but > I remember using such a command that tell if a file differ from the one > that comes with the package. `rpm --verify` or just `rpm -V`, as Jesse already noted... > that help finding rootkit/backdoor not necessarily. what if the rootkit is a clever one and it changes your rpm database to think the trojanned files are the originals? or if it installs a trojan libc that mis-reports stat calls made on the rootkit payload? or a kernel mod? and of course, this only helps with rootkits that disturb files that were previously installed.... of course, most rootkits aren't so clever ... but once the machine is compromised, the game is over and nothing can really be trusted. it's time to pack up, reformat, and try again. =/ - -- Aaron J. Seigo GPG Fingerprint: 8B8B 2209 0C6F 7C47 B1EA EE75 D6B7 2EB1 A7F1 DB43 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iD8DBQE/PoIr1rcusafx20MRAsE5AJ42uYvBWu3Q+sF02aXUfSsfy/Q3YACcCg0q fQ9QCYpfIxhyKZIIi60ej0g= =A3tM -----END PGP SIGNATURE-----
