Peter C. Norton writes:
> As to why I'd rather not have to recreate the files - if I'm following
> a break-in, I have more useful things to do, like find the schmuck who
> did it. Being able to verify binaries on a large number of systems
> helps me do that.
So what do you do about /etc/aliases.db? Why can't you do the same thing
with the qmail files?
I get the impression that, in fact, you don't verify /etc/aliases.db,
and that you're relying on security through obscurity. That's dangerous.
Promoting such behavior is irresponsible.
> Don't you want to know how you're being attacked?
How the initial intrusion happened, yes, so that I can explain how to
fix the hole. But there's no hole involved in setting up a trojan horse
once you already have root.
> But it's not possible to do this across multiple systems that have
> different uid's.
Wrong. All the necessary tools are included in a var-qmail package. Go
read http://pobox.com/~djb/qmail/var-qmail.html.
---Dan
