Stuart Sears írta:
## Zoltan's bit...
I cleaned a rootkit once off a RedHat 7.1 system by using "rpm -Va".
It didn't need reinstallation the whole system.
Which, although you may have been lucky, is not usually the most
sensible approach. (no offence intended)
A few points to consider...
1. what if the rootkit is installed using rpm?
It wasn't, it was installed from source. The intruder
left the source tree in place. He was a bit tricky to
use chattr +i on /bin/login and some other progs.
BTW, although rpm complained that it cannot replace
those, why isn't it prepared for such scenarios?
RPM is made for Linux, it should certainly know
about special filesystem flags and handle them.
2. rpm is one of the binaries that has been 'trojaned'?
you'll see only what the attacker wants you to see.
rpm -Va is only as secure as /var/lib/rpm...
checking from a rescue envioronment against a read-only backup of
/var/lib/rpm has some mileage though.
It didn't touch rpm, we were lucky I must add.
If it would have, I would have suggested a complete reinstall.
But it was a car dealer's system and both my boss and
the client started trembling upon hearing that the system
might have to be reinstalled and so the dealership cannot
serve their clients for a day or two.
And my workplace had a strange policy for install only
minimal sytem (e.g. tripwire was certainly not installed) and
no upgrades should be performed. On a RH 7.1 system,
for heaven's sake!
If you have any (non-config) files that differ from what rpm knows,
you can reinstall the package that was modified.
see above.
ditto :-)
The only guaranteed safe option is a complete reinstall and restore form
known good backup.
The one and only backup contained the Informix database content.
You don't overwrite system-provided binaries yourself, right? Any
compiled-from-source software should go into /usr/local or /opt...
and third-party RPM packages? Do you really not install any of those?
Most now go into /usr
The only 3rd party rpm was Informix and its rpm
installs into /opt/informix. But it's a strange piece of
installation software, it touches files after the installation,
modifies suid bit, owner, etc on some files. I guess
the packager didn't know how to make a good rpm package.
So, after looking at the modification time on the
Informix binaries, I ingored them. On a clean system
the modification time matches the Informix install, too,
not the packaging date and time.
[ OT: Informix makes itself nice -10 to gain some
advantage against everything else in the system to
make itself seem no so slow. So it slows down everything
else to a crawl when it stresses the CPU. Avoid it if you can. ]
Best regards,
Zoltán
