Business case for switching to Linux
John Van Ostrand
john-Da48MpWaEp0CzWx7n4ubxQ at public.gmane.org
Tue Apr 11 00:51:03 UTC 2006
On Mon, 2006-04-10 at 20:01 -0400, Fraser Campbell wrote:
> John Van Ostrand wrote:
>
> >>Fraser Campbell wrote:
> >>
> >>>It is quite a reasonable approach. On a hacked Linux box I would highly
> >>>recommend reimage/reinstall as well.
> >
> > For a novice user, perhaps. RPM based systems can be fixed quite easily.
> > Altered files can be found with "rpm -Va" and inspected. The toughest
> > one I had was when infected files like 'ls' and 'ps' would re-infect
> > when run. Installing RPMs that used infected commands in pre or post
> > install scripts would re-infect. Even then the --noscripts option worked
> > great.
>
> A full review would mean inspecting every single init script and config
> file for differences from original and inspecting every single file not
> owned by RPM - "rpm -Va" won't tell you that a modified
> /etc/sysconfig/network file is actually starting some spambot.
rpm -Va will tell you that it was modified, it's up to you to check the
file.
A quick reboot and a clean rpm -Va followed by a ps, netstat, etc will
ensure that you've caught everything.
> Every single user's files should be suspect as well - you wouldn't want a
> user's .bashrc/.profile/.cshrc/.??? reinstalling a rootkit on you.
How would a re-install help unless you intend to replace, restore or
delete those files? If your going to do that why not on a "fixed" system
then too?
> chkrootkit probably helps though I haven't tried it on hacked systems
> before since I was always able to find the hacks via hints in /proc - or
> maybe I just thought that I always found the hacks.
Me too.
> A hacked system might be fixable but I stick by opinion that it's both
> easier and better to reinstall in many cases no matter how much you know.
It really depends on the system and the administrator. A re-install of a
complex system that would take days to reconfigure may be more of a
business hit than the hour to fix it.
If it's just a web server then a re-install could work, as long as you
can restore the application data fast enough.
Still you may end up restoring hacked files.
> > If you're worried about root kits becoming smart enough to mangle the
> > RPM database, then archive and sign it.
>
> Or use tripwire look alikes.
>
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list