These are all very true - but my honeypot hasn't been attacked by any
script kiddies that modify the RPMs... yet.
Has anyone else?
Benjamin Scott wrote:
>
> On Wed, 1 Nov 2000, Steven W. Orr wrote:
> > I always thought that this was one of the beauties of rpm. If you thought
> > you were hacked, all you need to do is to reinstall rpm a la
> >
> > rpm -Uvh --force rpm-blahblah
> >
> > and then run
> >
> > rpm -Va
> >
> > to see if any individual files are corrupted.
>
> Well, first, if RPM has been subverted, then it has likely been modified to
> not allow you to replace the packages that have also been modified, including
> RPM itself.
>
> Okay, so, let us say you boot from known-good media and use a known-good
> copy of RPM on the RPM database on the system.
>
> Problem is, if the RPM database has been modified, then all the checksum
> information in the database will likely match the tempered files on the
> system.
>
> Even if you used that known-good environment to simply reinstall every RPM
> on the system, that will not handle:
>
> - Modified configuration files (e.g., extra root account in /etc/passwd)
> - Files outside of the RPM database (e.g., an SUID-root copy of /bin/sh
> stored in some unexpected location)
> - Files with the ext2fs immutable bit set
> - Modifications to the boot sectors of your system
> - Modifications to the filesystem structure
>
> In short: RPM is a package manager. It is not a substitute for a real IDS.
>
> --
> Ben Scott <[EMAIL PROTECTED]>
> Net Technologies, Inc. <http://www.ntisys.com>
> Voice: (800)905-3049 x18 Fax: (978)499-7839
>
> **********************************************************
> To unsubscribe from this list, send mail to
> [EMAIL PROTECTED] with the following text in the
> *body* (*not* the subject line) of the letter:
> unsubscribe gnhlug
> **********************************************************
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
