On Sat, 2005-12-10 at 23:37 -0700, Craig White wrote: > ---- > Backing up data directories and reinstalling from scratch is the only > known method to ensure the integrity of a system that has been > compromised. Sun use to (still does?) allow you to enter an md5sum and it would tell you exactly what file it matched, along with what patch level. That kind of thing does allow you to restore a compromised system, by verifying the binaries on the system. However - you have to have a way to verify every binary, from a boot CD (since you can't trust binaries/libraries on the system) - and trash any binary you don't trust. It is best to keep a log of installed packages, and backup configuration files periodically, so that you can restore by clean install if needed - but it *is* possible to have a system where you can verify the that the software installed has not been compromised. If you have a backup of your rpm database from before the box was owned, you can use the rpm binary from the rescue CD (or install CD if not on rescue CD) to verify your packages against the known good rpm database.
