Re: Exodus: this is bad

[Greg Retkowski <greg () rage net>]

On Tue, 17 Nov 1998, Alex P. Rudnev wrote:
> And one more thing. I am not Linux specialist, but I see a resious 
> problem because this compromised servers are usially troyaned by the 
> 'Linux Root Kit' hidding all hacker's activity. If anyone have some tools 
> to detect this rootkit (it include more than 200 files changed in the 
> system), point it, please - all my attempts to contact RedHat and other 
> Linux developers caused nothing.

Systems using RPM-based package management (Redhat and most other
distributions) can use the verify function to check their system's files
vs. what was installed. The command to check the entire system is 'rpm -V
-a'. The output looks something like:
S.5....T c /etc/exports
S.5....T c /etc/hosts.allow
S.5....T c /etc/motd

Periods (.) mean the test passed, otherwise you'll get a fail flag..
5: MD5 checksum
S: file size
L: symlink
T: mtime
D: device
U: user
G: group
M: file modes

A 'c' between the flags and the filename indicates that this is a
configuration file (and as such commonly modified). More information
should be in the rpm manpage. Hope this info helps.

-- Greg

<a href="mailto:greg () rage net">|\/\/|   Greg Retkowski   |\/\/|</a><br>
<a href="http://www.rage.net/";>|/\/\|"Save the Factories"|/\/\|</a><br>