Re: How to tell if you've been hacked?

[Aaron Turner <aturner linuxkb org>]

Assuming your RPM database hasn't been modifed by the hacker. :)  If you
want to use RPM for this, you should:

rpm -qa > file

Take this file to another CLEAN system (preferably new) and install all
the apps in this file from known sources (like your CD).  (Simple script
to do this is left as an exercise for the reader).

Then copy your rpm database /usr/lib/rpm from this CLEAN system to the
"hacked" system, and then do a:

rpm -VA

Realize that if the hacker did a rpm -e <package> and then compiled the
app, RPM won't check it since it's not in the rpm database anymore.

Also realize that there are kernel modules out there that will "hide"
changes so using RPM or things like Tripwire will *not* show modified
files.  If you have reason to believe that someone would bother doing an
advanced crack like this, really your only choice is to re-install.

On Tue, 14 Dec 1999, mgalgoci redhat com wrote:

> 
> As root, 
> 
> rpm -Va
> 
> This will tell you all of the files that have changed since installation.
> 
> --
>   Matt Galgoci
>   Job title: export title=`dd if=/dev/random bs=24 count=1`
> 	     echo $title
> 
> On Mon, 13 Dec 1999, Steve wrote:
> 
> > Could some one point me to some info on the ABC's of examining your system for
> > access violations? If there is such a resource.
> > 
> > TIA
> > Steve
> > 
> > 
> > -- 
> > To unsubscribe: mail redhat-list-request redhat com with "unsubscribe"
> > as the Subject.
> > 
> 
> 
> -- 
> To unsubscribe: mail redhat-list-request redhat com with "unsubscribe"
> as the Subject.
> 

--
Aaron Turner, Core Developer       http://vodka.linuxkb.org/~aturner/
Linux Knowledge Base Organization  http://linuxkb.org/
Because world domination requires quality open documentation.
aka: aturner vicinity com, aturner pobox com, ion_beam_head ashtech net