-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I appreciate that I am responding to two people here so I've tried to point out which one I am addressing below... Zoltan Boszormenyi wrote: ### Tomas's Bit: > Tomas Larsson írta: >> Obviously there must be flaws in any OS/SW even Linux, as an >> example my FC4-server was rooted, due to a flaw in php/MySQL. SElinux++ ...but I bet you had it turned off, didn't you ;) windows is no safer against 0-day expoits than anything else. Arguably less safe (IMO) as it has absolutely not diagnostic output that is readble by normal people... >> I ended up with a complete re-install, ..and did you enable SELinux protection that time? >> if it was a windows-system, first of >> all, it wouldn't probably happen, I don't see how you can say that... bad php code on a windows-basecd webserver is just as exploitable as it would be on any web-server. >>> since my AW would have taken care of it, really? you have a piece of security software that can stop people expoloiting bad php code? We aren't talking viruses here. (nb: I am Assuming that AW is antivirus.. if it means something else, please enlighten me) >> plus the fact that I would have managed to remove it without >> re-installing, So in a sence Linux is far much more complicated to >> restore, compared to Windows XP. >> ## Zoltan's bit... > I cleaned a rootkit once off a RedHat 7.1 system by using "rpm -Va". > It didn't need reinstallation the whole system. Which, although you may have been lucky, is not usually the most sensible approach. (no offence intended) A few points to consider... 1. what if the rootkit is installed using rpm? 2. rpm is one of the binaries that has been 'trojaned'? you'll see only what the attacker wants you to see. rpm -Va is only as secure as /var/lib/rpm... checking from a rescue envioronment against a read-only backup of /var/lib/rpm has some mileage though. > If you have any (non-config) files that differ from what rpm knows, > you can reinstall the package that was modified. see above. The only guaranteed safe option is a complete reinstall and restore form known good backup. > You don't overwrite system-provided binaries yourself, right? Any > compiled-from-source software should go into /usr/local or /opt... and third-party RPM packages? Do you really not install any of those? Most now go into /usr Regards Stuart - -- Stuart Sears RHCA RHCSS RHCX STFU PDQ RIAA MP3 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFGNIBUamPtx1brPQ4RAkUgAJ91us7PHaQphjmgfmOIrJBUFmG/cwCdF/J3 jiSjD5HARyCorN1xFE5F2SM= =PF5K -----END PGP SIGNATURE-----