Why most run Microsoft, not RedHat
Zoltan Boszormenyi
zboszor at freemail.hu
Sun Apr 29 13:54:23 UTC 2007
Stuart Sears írta:
> ## Zoltan's bit...
>
>> I cleaned a rootkit once off a RedHat 7.1 system by using "rpm -Va".
>> It didn't need reinstallation the whole system.
>>
> Which, although you may have been lucky, is not usually the most
> sensible approach. (no offence intended)
>
> A few points to consider...
> 1. what if the rootkit is installed using rpm?
>
It wasn't, it was installed from source. The intruder
left the source tree in place. He was a bit tricky to
use chattr +i on /bin/login and some other progs.
BTW, although rpm complained that it cannot replace
those, why isn't it prepared for such scenarios?
RPM is made for Linux, it should certainly know
about special filesystem flags and handle them.
> 2. rpm is one of the binaries that has been 'trojaned'?
> you'll see only what the attacker wants you to see.
> rpm -Va is only as secure as /var/lib/rpm...
> checking from a rescue envioronment against a read-only backup of
> /var/lib/rpm has some mileage though.
>
It didn't touch rpm, we were lucky I must add.
If it would have, I would have suggested a complete reinstall.
But it was a car dealer's system and both my boss and
the client started trembling upon hearing that the system
might have to be reinstalled and so the dealership cannot
serve their clients for a day or two.
And my workplace had a strange policy for install only
minimal sytem (e.g. tripwire was certainly not installed) and
no upgrades should be performed. On a RH 7.1 system,
for heaven's sake!
>> If you have any (non-config) files that differ from what rpm knows,
>> you can reinstall the package that was modified.
>>
> see above.
>
ditto :-)
> The only guaranteed safe option is a complete reinstall and restore form
> known good backup.
>
The one and only backup contained the Informix database content.
>> You don't overwrite system-provided binaries yourself, right? Any
>> compiled-from-source software should go into /usr/local or /opt...
>>
> and third-party RPM packages? Do you really not install any of those?
> Most now go into /usr
>
The only 3rd party rpm was Informix and its rpm
installs into /opt/informix. But it's a strange piece of
installation software, it touches files after the installation,
modifies suid bit, owner, etc on some files. I guess
the packager didn't know how to make a good rpm package.
So, after looking at the modification time on the
Informix binaries, I ingored them. On a clean system
the modification time matches the Informix install, too,
not the packaging date and time.
[ OT: Informix makes itself nice -10 to gain some
advantage against everything else in the system to
make itself seem no so slow. So it slows down everything
else to a crawl when it stresses the CPU. Avoid it if you can. ]
Best regards,
Zoltán
More information about the fedora-list
mailing list