On Fri, 25 Feb 2005, Jonathan Hutchins wrote:
I did a CRC check against ALL of the system files. They're fine. I checked RPM before I used it to check the rest of the system.
RPM's a great tool for a lot of things, including verifying system integrity. People who don't understand it and have been frustrated by the fact that it, itself, doesn't say resolve dependencies or download files tend to talk a lot of ignorant trash about it, but it does what it does quite well.
It's VERY hard to hack an RPM system in such a way as to conceal tampering with files within the packages. Not impossible, but hard in a way that the low-level simplicity of rootedoor tends to contraindicate.
The problem with said philosophy is that the system had to be hacked before the rootkit was installed. You are working under the assumption that this is all they did ...
Also, you should really read the rpm code sometime. It is a tool to verify, but if it is the only tool you are using ... you are only fooling yourself. If you had a tripwire database to also compare with I might be inclined to agree that you have a little bit of time before you need a re-install. Still, you need to re-install.
Paranoid sysadmins are good sysadmins. Yes, they are out to crack your systems.
//========================================================\ || D. Hageman dhageman@dracken.com || \========================================================//