Re: Anyone got hacked lately

[Jan Carlson <janc iname com>]

Igmar Palsenberg wrote:
> 
> > There is a utility called Tripwire that is very handy for this type of thing,
> > although it doesn't work as you describe. It does multiple checksums using
> > different algorithms of each file or directory tree you configure it to.
> 
> I want to check the system from the original CD. Tripwire is not an
> option in this case, bacause I'm not sure how for they got.
> 
> I want to use the original install CD to check if something is modified.

That means you want to use trusted rpm and md5sum, and other
trusted executables to verify
your files agains the rpm package files on the CD.  

You may be able to simply boot from the rescue set 
(floppy from mkbootdisk + rescue.img floppy),
mount the CD and your suspect filesystems, set your PATH to include
nothing from your hard disks, but only from the diskettes and CD.

This requires a mkbootdisk floppy made before the breakin, or on
a different machine.  It also requires an updated version of the
rpm executable, since the orig RH6 version of rpm fails when you do "rpm -Vp",
but the version from rawhide does -Vp just fine.

You cannot trust your rpm database on the hard disk to give you an
accurate list of installed rpms.  So you must concoct your own
list of rpms:

cat trimmed-list-of-original-and-update-rpm-filenames | xargs rpm -Vp

This will complain about all the rpms you updated since the
CD, so you will have to refine the list of rpms and maybe
use a special CD you make containing only update rpms and
the original rpms having no updates.

None of this can check files that belong to none of
the rpms you have,
which leaves lots of room for trojans to hide.





-- 
Jan Carlson  janc iname com  Scarborough, Ontario, Canada