Business case for switching to Linux
Fraser Campbell
fraser-eicrhRFjby5dCsDujFhwbypxlwaOVQ5f at public.gmane.org
Tue Apr 11 00:01:13 UTC 2006
John Van Ostrand wrote:
>>Fraser Campbell wrote:
>>
>>>It is quite a reasonable approach. On a hacked Linux box I would highly
>>>recommend reimage/reinstall as well.
>
> For a novice user, perhaps. RPM based systems can be fixed quite easily.
> Altered files can be found with "rpm -Va" and inspected. The toughest
> one I had was when infected files like 'ls' and 'ps' would re-infect
> when run. Installing RPMs that used infected commands in pre or post
> install scripts would re-infect. Even then the --noscripts option worked
> great.
A full review would mean inspecting every single init script and config
file for differences from original and inspecting every single file not
owned by RPM - "rpm -Va" won't tell you that a modified
/etc/sysconfig/network file is actually starting some spambot.
Every single user's files should be suspect as well - you wouldn't want a
user's .bashrc/.profile/.cshrc/.??? reinstalling a rootkit on you.
chkrootkit probably helps though I haven't tried it on hacked systems
before since I was always able to find the hacks via hints in /proc - or
maybe I just thought that I always found the hacks.
A hacked system might be fixable but I stick by opinion that it's both
easier and better to reinstall in many cases no matter how much you know.
> If you're worried about root kits becoming smart enough to mangle the
> RPM database, then archive and sign it.
Or use tripwire look alikes.
--
Fraser Campbell <fraser-Txk5XLRqZ6CsTnJN9+BGXg at public.gmane.org> http://www.wehave.net/
Georgetown, Ontario, Canada Debian GNU/Linux
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list