Re: Ack! I've been rooted...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2 Feb 2007, Mark Knoop wrote:

On 02/02/07, Steven W. Orr <steveo@xxxxxxxxxxx> wrote:
I read this thread and I have a question on why this problem is not
handled in a more direct approach instead of the blood&guts reload
approach: If you simply reinstall the rpm package (something like)

rpm --replacepkgs -vh rpm-4.4.1-22.i386.rpm

then you know that the binaries are good. From there all you have to do is

Well that's not quite true, is it. Presumably you suggest is to
reinstall rpm because of the possibility that it has been hacked. But
if you're using a hacked version of rpm to reinstall it, you can't be
sure that it is doing as it is supposed to - i.e. the hacked rpm could
be just spitting the package into /dev/null whilst appearing to
reinstall it.

If the immutable file is set on any of the hacked binaries, it will also fail to install. (Checking for the immutable flag is an easy way to check for many rootkits.)

--
"Invoking the supernatural can explain anything, and hence explains nothing."
                  - University of Utah bioengineering professor Gregory Clark


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux