Mailinglist Archive: opensuse-security (685 mails)

< Previous Next >
Re: [suse-security] suspicious files
  • From: Albert Brandl <albert.brandl@xxxxxxxxxxxxxx>
  • Date: Tue, 26 Feb 2002 11:30:45 +0100
  • Message-id: <20020226113045.A7828@xxxxxxxxxxxxxx>
On Tue, Feb 26, 2002 at 09:57:32AM +0000, Bob Vickers wrote:
> Ian,
>
> Have you done any checking with rpm? It has good options for verifying
> where files came from, e.g.
>
> rpm -qf filename
> rpm --verify packagename
> rpm -ql packagename

In order to check _all_ packages, you can also use
rpm -V -a

The third column reads "5" if the md5 sum of the file differs from the data
saved in the rpm database. If someone has modified binaries (and the rpm
db is not corrupted), they will show up when you pick out modified files via

rpm -V -a | grep "..5"

> I suppose if you are really paranoid you might distrust the information if
> you think you have been cracked, [...]

I have no idea how easy it is to modify the rpm database. Does anyone know
of a rootkit that automates this?

Best regards,

Albert

< Previous Next >
References