[olug] firewall
Phil Brutsche
pbrutsch at creighton.edu
Wed Jun 13 20:11:47 UTC 2001
Quoting "Chad S. Lauritsen" <csl at plconline.com>:
> Hi Jon,
>
> To check if things have been modified on your system, you can use rpm if
> you're on an rpm-based system such as redhat, mandrake, etc.
>
> rpm -Va
That shouldn't be relied on as gospel. I've seen some rootkits that install
their files via rpm rather than just over-writing /bin/ps and friends.
> will check the status of each file installed using rpm, and report
> discrepancies such as last modified time, md5 checksum, size, etc.
> Read the rpm man page for fuller details.
>
> Can similar be done on debian? If so, how? (I don't have access
> currently to a debian system).
Yes - debsums
Generally speaking you don't want to rely on any information stored in the
system's package database - it could easily have been modified, just as the
programs were. However, most "attackers" are just stupid, inexperienced kids
running automated scripts. They (the kids and the scripts) generally aren't
smart enough to edit the rpm and dpkg databases :)
A program called "tripwire" is probably your best bet at watching for any
alterations to files. I don't know what the homepage is, but you'll be able to
find it on freshmeat.net
Phil
---------------------------------------------------------------------
To unsubscribe, e-mail: olug-unsubscribe at bstc.net
For additional commands, e-mail: olug-help at bstc.net
More information about the OLUG
mailing list