On Tuesday 07 February 2006 00:12, James Gagnon wrote:
Sorry I am new to this and have been trying to read deep into this post to figure things out... If I run the rpm -Va on my machine to see if any of these files have been changed just for learning purposes... What exactly am I looking for? And what should be causes for concern?
First, "man rpm" is the primary source for information re. how to read this output.
rpm spits out a line for each file that differs in any way (from how it was when it was installed). This includes not only changed content but also timestamps, permissions... etc.
What you're looking for is normally a "5", that stands for md5sum differs, that is, file content differs. This is sometimes ok (think config files) but sometimes not at all (think /bin/bash).
So, something like: rpm -Va | grep "5" | grep bin
is a very rough but helpful thing to run. Possibly piped to less and then you scan through it looking for important files that an evil person might want to change (ls, ps, netstat, ssh, bash...)
/Peter
If one does find a file that's been altered by a rootkit or whatnot, what is the next step from there? Remove and Reinstall or is there a simple fix?
1) contanct your IRT if there is one and let them decide what to do
...either way, it's really a case of reinstall the entire machine and restore data from backups. Only a fool or a person with no options left tries to restore a root compromised machine (IMHO).
Are there any good apps out there to guard against rootkits or this problem?
1) updates (prevent) 2) root-kit checkers (like chkrootkit, rkhunter, tripwire) (search for) 3) security systems like selinux, rsbac, LIDS, ... (prevent, limit damage)
/Peter
Forgive me for the n00bness if I am completely off track as I am trying to learn new stuff everyday as well as keep up with security as this sounds like a pretty severe security issue...
From an overall security point of view, does anyone know any good links or
direct me to some good information for securing linux server systems if its not behind a hardware firewall? I read all the security updates for specific daemons such as httpd, bind, etc.. and ensure those measures are in place and or patched. However, when it comes to the actual OS itself I just want to make sure all security measures are in place for it as well. Yum update does run on a nightly basis, but not sure if there is more to it than that.
Thanks! James