Security Incidents mailing list archives
Re: SSH Attempts: Link to RedHat?
From: "Holger van Lengerich (paderLinx GmbH)" <gimli () paderlinx de>
Date: Wed, 19 Dec 2001 08:29:11 +0100 (CET)
Hi, Dave Dittrich <dittrich () cac washington edu> wrote
I wouldn't trust the RPM database on the system to tell you the truth, as it could be modified easily just like the original programs. Better to check against the original CD-ROM and/or a trusted archive.
You cannot trust any data on a probably infested host, doesn't necessarily mean you cannot gain any information from it. It's just a question of interpretation: - A rpm-test doesn't show any errors can strengthen the assumption that everything is alright, though it never will be a proof. On the otherside: - If the rpm-integrity test fails on several files, you'll know immediately, that something is very wrong. So I think the rpm-integrity-test serves very well, as proof of existence of a hacker. Regards, Holger ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- SSH Attempts: Link to RedHat? Gregg Sperling (Dec 17)
- Re: SSH Attempts: Link to RedHat? John Oliver (Dec 18)
- Re: SSH Attempts: Link to RedHat? jon schatz (Dec 18)
- Re: SSH Attempts: Link to RedHat? Dave Dittrich (Dec 18)
- Re: SSH Attempts: Link to RedHat? Holger van Lengerich (paderLinx GmbH) (Dec 19)
- Re: SSH Attempts: Link to RedHat? Dave Dittrich (Dec 18)
- Re: SSH Attempts: Link to RedHat? Rodrigo Barbosa (Dec 19)
- <Possible follow-ups>
- RE: SSH Attempts: Link to RedHat? Montz, James C. (James Tower) (Dec 18)