On Tue, 2009-06-16 at 19:09 +0000, Dick Gevers wrote: > > Aye. What I meant is: if Brian has 300 packages, let's call them 1 thru 300, > and Ubuntu updates packages 3, 190 and 250 and Brian's box runs an rkhunter > hashupdate right after that, Brian will miss when a rootkit has 'fixed' > package no. 13. > Surely though when an RKH check is next run the package manager will then say that package 13 is invalid (unless the rootkit has modified the package database as well)?
For Debian/Ubuntu the package manager is only used for file checksum (hash) verification; all other file properties come from the stored properties file. John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 E-mail: john.ho...@plymouth.ac.uk Fax: +44 (0)1752 587001 ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users