On Tue, Feb 26, 2002 at 09:57:32AM +0000, Bob Vickers wrote:
Ian,
Have you done any checking with rpm? It has good options for verifying where files came from, e.g.
rpm -qf filename rpm --verify packagename rpm -ql packagename
In order to check _all_ packages, you can also use rpm -V -a The third column reads "5" if the md5 sum of the file differs from the data saved in the rpm database. If someone has modified binaries (and the rpm db is not corrupted), they will show up when you pick out modified files via rpm -V -a | grep "..5"
I suppose if you are really paranoid you might distrust the information if you think you have been cracked, [...]
I have no idea how easy it is to modify the rpm database. Does anyone know of a rootkit that automates this? Best regards, Albert