|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Exodus: this is bad
On Tue, 17 Nov 1998, Alex P. Rudnev wrote: > And one more thing. I am not Linux specialist, but I see a resious > problem because this compromised servers are usially troyaned by the > 'Linux Root Kit' hidding all hacker's activity. If anyone have some tools > to detect this rootkit (it include more than 200 files changed in the > system), point it, please - all my attempts to contact RedHat and other > Linux developers caused nothing. Systems using RPM-based package management (Redhat and most other distributions) can use the verify function to check their system's files vs. what was installed. The command to check the entire system is 'rpm -V -a'. The output looks something like: S.5....T c /etc/exports S.5....T c /etc/hosts.allow S.5....T c /etc/motd Periods (.) mean the test passed, otherwise you'll get a fail flag.. 5: MD5 checksum S: file size L: symlink T: mtime D: device U: user G: group M: file modes A 'c' between the flags and the filename indicates that this is a configuration file (and as such commonly modified). More information should be in the rpm manpage. Hope this info helps. -- Greg <a href="mailto:[email protected]";>|\/\/| Greg Retkowski |\/\/|</a><br> <a href="http://www.rage.net/";>|/\/\|"Save the Factories"|/\/\|</a><br>
|