Les Mikesell wrote:
Jacques B. wrote:You can't honestly suggest that there should be a tool that can check your entire system for any evidence of intrusion and fix it?Well yes... Since there isn't a handier one, I usually do it by restoring a backup from a time when I trusted the machine into a subdirectory of some other machine, then running rsync -avn against the live one to see what has changed.
That might not be good enough. 'rsync -a' will skip more thorough checks if two files size and mod times match. An attacker could fairly easily produce a binary of the same size, and fix the mod time after installation.
If you add '-I', then rsync will report comparing all of the files in your system, so that's no good either. You probably need to use a backup copy of the rpm database to do an 'rpm -Va' to verify your system files.