Security Incidents mailing list archives

Re: SSH Attempts: Link to RedHat?

From: "Holger van Lengerich (paderLinx GmbH)" <gimli () paderlinx de>
Date: Wed, 19 Dec 2001 08:29:11 +0100 (CET)

Hi,

Dave Dittrich <dittrich () cac washington edu> wrote

I wouldn't trust the RPM database on the system to tell you the truth,
as it could be modified easily just like the original programs.
Better to check against the original CD-ROM and/or a trusted archive.


You cannot trust any data on a probably infested host, doesn't necessarily
mean you cannot gain any information from it. It's just a question of
interpretation:

- A rpm-test doesn't show any errors can strengthen the assumption that
everything is alright, though it never will be a proof.

On the otherside:

- If the rpm-integrity test fails on several files, you'll know immediately,
that something is very wrong.

So I think the rpm-integrity-test serves very well, as proof of existence of
a hacker.

Regards,
  Holger



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

SSH Attempts: Link to RedHat? Gregg Sperling (Dec 17)
- Re: SSH Attempts: Link to RedHat? John Oliver (Dec 18)
- Re: SSH Attempts: Link to RedHat? jon schatz (Dec 18)
  - Re: SSH Attempts: Link to RedHat? Dave Dittrich (Dec 18)
    - Re: SSH Attempts: Link to RedHat? Holger van Lengerich (paderLinx GmbH) (Dec 19)
- Re: SSH Attempts: Link to RedHat? Rodrigo Barbosa (Dec 19)
- <Possible follow-ups>
- RE: SSH Attempts: Link to RedHat? Montz, James C. (James Tower) (Dec 18)