|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: RH6.1/IPChains box hacked
From: J. J. Horner (jhorner
KNOXLUG.ORG)Date: Mon Apr 24 2000 - 11:28:27 CDT
- Next message: Matthew F. Caldwell: "IDS Avoiding TRACEROUTE Network mapping"
- Previous message: Del Elson: "Re: RH6.1/IPChains box hacked"
- Maybe reply: J. J. Horner: "Re: RH6.1/IPChains box hacked"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mon, 24 Apr 2000, Mark Tinberg wrote:
> It looks like a copy of your RPM database. Possibly the cracker edited and rebuilt your RPM database to hide his/her tracks. Try running a 'rpm --verify --all' and comparing the output to 'rpm --verify /path/to/cdrom/RPMS/packagename.rpm' or 'rpm --verify ftp://ftp.redhat.com/path/to/RPMS/pachagename.rpm' (using a known, trusted copy of the RPM executable of course.) This will compare checksumms from the RPM database and then from the actual package files you have installed, they should match (you should be able to trust that your CDROM or ftp.redhat.com is OK.) If not then not only are your executables trojaned/backdoored/etc. but your RPM database is suspect as well. Probably a good idea to always verify off trusted media as opposed to trusting the RPM database hasn't been altered.
>
>
Oh, I'm purely in the investigate phase. The box has been rebuilt and
patched to completely new version of RedHat. I backed up everything and
I'm viewing on an internal box.
Jon
-- J. J. Horner Apache, Perl, Unix, Linux jhorner
- Next message: Matthew F. Caldwell: "IDS Avoiding TRACEROUTE Network mapping"
- Previous message: Del Elson: "Re: RH6.1/IPChains box hacked"
- Maybe reply: J. J. Horner: "Re: RH6.1/IPChains box hacked"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]