Steffen Dettmer wrote:
Of course. For instance, an attacker could replace ps with some trojaned ps. This can be detected. copy the ps binary to some other host and do a md5sum compare or a cmp. Of course this other machines need exactly the same distro/installation. Well, even this could be faked (the trojaned system could deliver the original ps on reads, but executes a trojaned ps on exec), I don't know it this is a common practise. Second, you could use rpm -V <package>. "ps" is in "ps" (rpm -qf `which ps`), so you can check "rpm -V ps". But of course RPM and it's database could be trojaned, too, at least theoritical, but I've not heard about such things.
another posibility was to set up a tar file with self compiled binary's of the most important tools (ps, netstat etc.) and use this to check the system. But that can't work if somebody installed a kernel module. So i recommend to install all serversystems or permanently to the internet connected maschines without modules support. Also md5checking (tripwire etc) is a good start. -- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256