Ack! I've been rooted...
alan
alan at clueserver.org
Fri Feb 2 19:06:56 UTC 2007
On Fri, 2 Feb 2007, Alan wrote:
> On Fri, 2 Feb 2007 10:59:57 -0500 (EST)
> "Steven W. Orr" <steveo at syslang.net> wrote:
>> I read this thread and I have a question on why this problem is not
>> handled in a more direct approach instead of the blood&guts reload
>> approach: If you simply reinstall the rpm package (something like)
>>
>> rpm --replacepkgs -vh rpm-4.4.1-22.i386.rpm
>>
>> then you know that the binaries are good. From there all you have to do is
>
> Because a good rootkit will trojan rpm to ensure that the above merely
> reports it is ok and that
>
>> rpm -Va
>
> lies. A really good one does it via patching the kernel so the rpm binary
> off CD isn't sufficient either, you need to boot off a trusted source (eg
> a rescue CD, and run the rpm off the rescue cd to replace the kernel,
> libraries, you name it). Or its easier to shove the disk into another box
> and work on it.
I actually encountered one rootkit that patched the RPM database. I found
it because it patched the rpm database -- using the wrong version of the
db libraries. Doh!
--
"Invoking the supernatural can explain anything, and hence explains nothing."
- University of Utah bioengineering professor Gregory Clark
More information about the fedora-list
mailing list