Business case for switching to Linux

Fraser Campbell fraser-eicrhRFjby5dCsDujFhwbypxlwaOVQ5f at public.gmane.org
Tue Apr 11 00:01:13 UTC 2006


John Van Ostrand wrote:

>>Fraser Campbell wrote:
>>
>>>It is quite a reasonable approach.  On a hacked Linux box I would highly 
>>>recommend reimage/reinstall as well.
> 
> For a novice user, perhaps. RPM based systems can be fixed quite easily.
> Altered files can be found with "rpm -Va" and inspected. The toughest
> one I had was when infected files like 'ls' and 'ps' would re-infect
> when run. Installing RPMs that used infected commands in pre or post
> install scripts would re-infect. Even then the --noscripts option worked
> great.

A full review would mean inspecting every single init script and config 
file for differences from original and inspecting every single file not 
owned by RPM - "rpm -Va" won't tell you that a modified 
/etc/sysconfig/network file is actually starting some spambot.

Every single user's files should be suspect as well - you wouldn't want a 
user's .bashrc/.profile/.cshrc/.??? reinstalling a rootkit on you.

chkrootkit probably helps though I haven't tried it on hacked systems 
before since I was always able to find the hacks via hints in /proc - or 
maybe I just thought that I always found the hacks.

A hacked system might be fixable but I stick by opinion that it's both 
easier and better to reinstall in many cases no matter how much you know.


> If you're worried about root kits becoming smart enough to mangle the
> RPM database, then archive and sign it.

Or use tripwire look alikes.

-- 
Fraser Campbell <fraser-Txk5XLRqZ6CsTnJN9+BGXg at public.gmane.org>                 http://www.wehave.net/
Georgetown, Ontario, Canada                               Debian GNU/Linux
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml





More information about the Legacy mailing list