On Friday 25 February 2005 06:56 pm, Don Erickson wrote:
Any decent rootkit will overwrite ps, ls, less, more, netstat and a cast of thousands. If you don't re-install these, your system tests have little value.
You should, perhaps, follow the link I provided and read about this particular trojan.
I did a CRC check against ALL of the system files. They're fine. I checked RPM before I used it to check the rest of the system.
RPM's a great tool for a lot of things, including verifying system integrity. People who don't understand it and have been frustrated by the fact that it, itself, doesn't say resolve dependencies or download files tend to talk a lot of ignorant trash about it, but it does what it does quite well.
It's VERY hard to hack an RPM system in such a way as to conceal tampering with files within the packages. Not impossible, but hard in a way that the low-level simplicity of rootedoor tends to contraindicate.
I've dealt with a couple of systems that got rooted several years ago. "login" is one of the favorite files to replace, or move.
As I mentioned, I also have an image of the system, taken when it was running normally. I know what files I can trust, and I have used them to establish a chain of verification that gives me good confidence in the system's current state.