Re: Why most run Microsoft, not RedHat

Stuart Sears írta:
## Zoltan's bit...
I cleaned a rootkit once off a RedHat 7.1 system by using "rpm -Va". It didn't need reinstallation the whole system.
Which, although you may have been lucky, is not usually the most
sensible approach. (no offence intended)
A few points to consider...
1. what if the rootkit is installed using rpm?

It wasn't, it was installed from source. The intruder
left the source tree in place. He was a bit tricky to
use chattr +i on /bin/login and some other progs.
BTW, although rpm complained that it cannot replace
those, why isn't it prepared for such scenarios?
RPM is made for Linux, it should certainly know
about special filesystem flags and handle them.

2. rpm is one of the binaries that has been 'trojaned'?
you'll see only what the attacker wants you to see.
rpm -Va is only as secure as /var/lib/rpm...
checking from a rescue envioronment against a read-only backup of
/var/lib/rpm has some mileage though.

It didn't touch rpm, we were lucky I must add.
If it would have, I would have suggested a complete reinstall.
But it was a car dealer's system and both my boss and
the client started trembling upon hearing that the system
might have to be reinstalled and so the dealership cannot
serve their clients for a day or two.
And my workplace had a strange policy for install only
minimal sytem (e.g. tripwire was certainly not installed) and
no upgrades should be performed. On a RH 7.1 system,
for heaven's sake!

If you have any (non-config) files that differ from what rpm knows, you can reinstall the package that was modified.
see above.

ditto :-)

The only guaranteed safe option is a complete reinstall and restore form
known good backup.

The one and only backup contained the Informix database content.

You don't overwrite system-provided binaries yourself, right? Any
compiled-from-source software should go into /usr/local or /opt...
and third-party RPM packages? Do you really not install any of those?
Most now go into /usr

The only 3rd party rpm was Informix and its rpm
installs into /opt/informix. But it's a strange piece of
installation software, it touches files after the installation,
modifies suid bit, owner, etc on some files. I guess
the packager didn't know how to make a good rpm package.
So, after looking at the modification time on the
Informix binaries, I ingored them. On a clean system
the modification time matches the Informix install, too,
not the packaging date and time.

[ OT: Informix makes itself nice -10 to gain some
advantage against everything else in the system to
make itself seem no so slow. So it slows down everything
else to a crawl when it stresses the CPU. Avoid it if you can. ]

Best regards,
Zoltán

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Relevant Pages

  • Re: .NET Framework
    ... the package is most likely somewhere on the Norton CD if you care to ... You could just reinstall Norton entirely instead, ... skip the .Net install if it thinks it's already installed. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Dell Latitude D600 CPU usuage 100%
    ... I suspect that it may be Zone Alarm, so didn't reinstall Zone Alarm ... package -- BTW, I was using the entire security suite which includes ... install the chipset driver upgrades. ...
    (alt.sys.pc-clone.dell)
  • Re: Virtualbox does not lunch (FREEBSD 7.2 STABLE)
    ... Force removal of the package, ... and when making install, keep saying that is already installed:S ... then in virtualbox port dir.... ... I suspect the make reinstall script failed to symlink the VirtualBox ...
    (freebsd-questions)
  • WMP 10 wont install several errors
    ... to install WMP10 results in: ... It was not possible to complete setup, reinstall Windows Media Player 10 ... Package install complete. ...
    (microsoft.public.windowsmedia.player)
  • Errors applying kernel patch 118833-36
    ... install of Solaris 10 11/06. ... However, once the package list is done, I see a worrisome message: ... Below is the complete console output of the patch run. ... Changes for package SUNWnfsskr will not be applied to the system. ...
    (SunManagers)