Business case for switching to Linux

John Van Ostrand john-Da48MpWaEp0CzWx7n4ubxQ at public.gmane.org
Tue Apr 11 00:51:03 UTC 2006 

On Mon, 2006-04-10 at 20:01 -0400, Fraser Campbell wrote:
> John Van Ostrand wrote:
> 
> >>Fraser Campbell wrote:
> >>
> >>>It is quite a reasonable approach.  On a hacked Linux box I would highly 
> >>>recommend reimage/reinstall as well.
> > 
> > For a novice user, perhaps. RPM based systems can be fixed quite easily.
> > Altered files can be found with "rpm -Va" and inspected. The toughest
> > one I had was when infected files like 'ls' and 'ps' would re-infect
> > when run. Installing RPMs that used infected commands in pre or post
> > install scripts would re-infect. Even then the --noscripts option worked
> > great.
> 
> A full review would mean inspecting every single init script and config 
> file for differences from original and inspecting every single file not 
> owned by RPM - "rpm -Va" won't tell you that a modified 
> /etc/sysconfig/network file is actually starting some spambot.

rpm -Va will tell you that it was modified, it's up to you to check the
file.

A quick reboot and a clean rpm -Va followed by a ps, netstat, etc will
ensure that you've caught everything.

> Every single user's files should be suspect as well - you wouldn't want a 
> user's .bashrc/.profile/.cshrc/.??? reinstalling a rootkit on you.

How would a re-install help unless you intend to replace, restore or
delete those files? If your going to do that why not on a "fixed" system
then too?

> chkrootkit probably helps though I haven't tried it on hacked systems 
> before since I was always able to find the hacks via hints in /proc - or 
> maybe I just thought that I always found the hacks.

Me too.

> A hacked system might be fixable but I stick by opinion that it's both 
> easier and better to reinstall in many cases no matter how much you know.

It really depends on the system and the administrator. A re-install of a
complex system that would take days to reconfigure may be more of a
business hit than the hour to fix it.

If it's just a web server then a re-install could work, as long as you
can restore the application data fast enough.

Still you may end up restoring hacked files.

> > If you're worried about root kits becoming smart enough to mangle the
> > RPM database, then archive and sign it.
> 
> Or use tripwire look alikes.
> 

--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list