Once upon a time, "Andrew Smith" <[EMAIL PROTECTED]> wrote :
> Well, I guess you realise this, but I'd guess the t0rn kit means
> someone hacked in - not a worm.
No, in fact this was a server someone wanted me to have a look at because
it was behaving strangely... it turned out that the "admin" that resigned
a few months earlier had installed the rootkit!
> I had this on a few computers before reinstalling them, I even
> still have the IP addresses and telnet packets they sent fully
> logged but that was almost a year ago when it happened
> They ftp'd the t0rn kit onto my computers and then proceeded to
> hack about with it and install trojans and listening sockets
> This was what first made me setup a firewall back on 6.2 :-)
> "rpm -Va" is 99% OK - but in a few cases it will not tell you
> everything:
> If you don't have EVERYTHING using rpm,
> OR
> of course config files may also be changed by the hackers after
> you have changed them
Well, that's why I NEVER install from sources, I build my own RPMs if I
need to then make them available. That will to keep a 100% pure rpm-based
distro is what started freshrpms.net, all my systems have their /usr/local
totally empty ;-)
A hacker would need to be really aware of how rpm works to be able to
cover his tracks other than by erasing or corrupting the rpm database (I
would get suspicious if one day my rpm db was "out of order"), then again
yes, it is possible... but I really think "rpm -V" is a quick and useful
way of checking file integrity, when you have an rpm-based system, it
costs nothing!
Matthias
--
Matthias (Thias) Saou http://www.marmotte.net/
--------------------- French - Canadian - Spanish resident
http://rpmforge.net/ - Hairy and scary RPM related projects
http://freshrpms.net/ - RPMs just like mom used to make them
_______________________________________________
Seawolf-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/seawolf-list
