Anton Chuvakin <[EMAIL PROTECTED]> writes:
>
> Do you know any of the RPM-aware rootkits for Linux which will not be
> detected by "rpm --verify". I would prefer direct edit of /var/lib/rpm
> rather to trojaned rpm binary, but what the heck - whatever will do.
Just create a modified rpm and install it instead of the first one.
RPM will do all the edits for you.
> I need to deploy something on Linux which will pass the "rpm -V", but will
> involve replacing some binaries. I can rebuild the stuff from source
> RPMs, recreate the package and then replace the stock RPM., but it is too
> messy (GPG sig will be different, but that will hopefully be OK for the
> honeypot).
rpm --checksig is a preinstallation check that will check the signed
package but not the signed extracted contents.
The rpm -V quick check should still come back silent. -V is really
meant to be more of a "did I change anything" than a "did an attacker
change anything".
What won't work in this situation is attackers that have the md5sums
or signatures for various binaries on the machine that you are
intending to replace.
HTH,
--
Chris Green <[EMAIL PROTECTED]>
I've had a perfectly wonderful evening. But this wasn't it.
-- Groucho Marx
