On Monday 03 November 2008 11:32:00 pm Greg Freemyer wrote:
I had a new client call me today. They believe their system has had an intruder in it. Possibly, just a worm/robot. Possibly a human. (The system is now offline.)
I believe it's running an unpatched version of SLES 9.0
I'd like to verify if any of the executables have been altered from the beginning.
Is there a way to have RPM / Yast do that?
Hi Greg, rpm -V would verify the installed packages against the checksum in the local database. But if the system has been compromised, there's no reason to trust the local database. After all, what would have stopped the attacker from installing his/her version of a certain package through rpm? Or to even modify rpm in some way so that it can't be trusted? The only way to be sure that no executables have been altered, would be to verify the checksum of each executable against the checksum of that file at system installation. You'd need a read-only medium with that checksum information on it, like a CD-ROM and an intrusion detection package like AIDE. But if your client is running an unpatched system, I don't think they would have the prudence to have such a CD-ROM. You might run chkrootkit and/or rkhunter (again, from CD) and see what that yields, but really the only way to be sure is a complete reinstall from guaranteed clean, uncompromised media. After all, if the attacker is good (always assume he/she is) there's no telling in how many ways the system is compromised. But let's start at the beginning...why do they believe that their system has been compromised? HTH, Joop ------------------------------------------------------------ Dit bericht is gescand op virussen en andere gevaarlijke inhoud door MailScanner en lijkt schoon te zijn. Mailscanner door http://www.prosolit.nl Professional Solutions fot IT -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org