[CentOS] I appear to be attacking others

Tue Feb 7 16:51:08 UTC 2006
Peter Kjellström <cap at nsc.liu.se>

On Tuesday 07 February 2006 00:12, James Gagnon wrote:
> Sorry I am new to this and have been trying to read deep into this post to
> figure things out...  If I run the rpm -Va on my machine to see if any of
> these files have been changed just for learning purposes... What exactly am
> I looking for?  And what should be causes for concern?

First, "man rpm" is the primary source for information re. how to read this 
output.

rpm spits out a line for each file that differs in any way (from how it was 
when it was installed). This includes not only changed content but also 
timestamps, permissions... etc.

What you're looking for is normally a "5", that stands for md5sum differs, 
that is, file content differs. This is sometimes ok (think config files) but 
sometimes not at all (think /bin/bash).

So, something like:
rpm -Va | grep "5" | grep bin

is a very rough but helpful thing to run. Possibly piped to less and then you 
scan through it looking for important files that an evil person might want to 
change (ls, ps, netstat, ssh, bash...)

/Peter

> If one does find a file that's been altered by a rootkit or whatnot, what
> is the next step from there?  Remove and Reinstall or is there a simple
> fix?

1) contanct your IRT if there is one and let them decide what to do

...either way, it's really a case of reinstall the entire machine and restore 
data from backups. Only a fool or a person with no options left tries to 
restore a root compromised machine (IMHO).

> Are there any good apps out there to guard against rootkits or this
> problem?

1) updates (prevent)
2) root-kit checkers (like chkrootkit, rkhunter, tripwire) (search for)
3) security systems like selinux, rsbac, LIDS, ... (prevent, limit damage)

/Peter

> Forgive me for the n00bness if I am completely off track as I am trying to
> learn new stuff everyday as well as keep up with security as this sounds
> like a pretty severe security issue...
>
> >From an overall security point of view, does anyone know any good links or
>
> direct me to some good information for securing linux server systems if its
> not behind a hardware firewall?  I read all the security updates for
> specific daemons such as httpd, bind, etc.. and ensure those measures are
> in place and or patched.  However, when it comes to the actual OS itself I
> just want to make sure all security measures are in place for it as well. 
> Yum update does run on a nightly basis, but not sure if there is more to it
> than that.
>
> Thanks!
> James

-- 
------------------------------------------------------------
  Peter Kjellström               |
  National Supercomputer Centre  |
  Sweden                         | http://www.nsc.liu.se
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos/attachments/20060207/6d358d67/attachment-0005.sig>