[CentOS] I appear to be attacking others

Mon Feb 6 23:12:28 UTC 2006
James Gagnon <jamesg at nucleus.com>

Sorry I am new to this and have been trying to read deep into this post to
figure things out...  If I run the rpm -Va on my machine to see if any of
these files have been changed just for learning purposes... What exactly am
I looking for?  And what should be causes for concern?

If one does find a file that's been altered by a rootkit or whatnot, what is
the next step from there?  Remove and Reinstall or is there a simple fix?

Are there any good apps out there to guard against rootkits or this problem?

Forgive me for the n00bness if I am completely off track as I am trying to
learn new stuff everyday as well as keep up with security as this sounds
like a pretty severe security issue...

>From an overall security point of view, does anyone know any good links or
direct me to some good information for securing linux server systems if its
not behind a hardware firewall?  I read all the security updates for
specific daemons such as httpd, bind, etc.. and ensure those measures are in
place and or patched.  However, when it comes to the actual OS itself I just
want to make sure all security measures are in place for it as well.  Yum
update does run on a nightly basis, but not sure if there is more to it than
that.

Thanks!
James


-----Original Message-----
From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf
Of Scot L. Harris
Sent: February 6, 2006 3:58 PM
To: CentOS mailing list
Subject: Re: [CentOS] I appear to be attacking others

On Mon, 2006-02-06 at 17:50, Troy Engel wrote:
> Steve Bergman wrote:
> > 
> > from a few trusted machines, I get the output below from 'rpm -Va | grep
> > -e libexec -e '/bin/'.
> > 
> > Also, how do rpm -V and prelink interact?  Are the binaries in an rpm
> > already prelinked?
> 
> I don't believe so, but I've never researched what they do upstream. It
> seems logistically difficult to build and prelink a binary while making
> a RPM from a gut instinct point of view.
> 
> I think your list is, as you guess, a set of victims that don't fit due
> to a prelink. I usually only use that command on server systems and
> don't see a lot of those entries.
> 
> -te

It was my understanding that rpm was prelink aware.  I know things like
tripwire are not prelink aware and will report changes if you initialize
its database prior to prelink running.



_______________________________________________
CentOS mailing list
CentOS at centos.org
http://lists.centos.org/mailman/listinfo/centos