Mailinglist Archive: opensuse-security (685 mails)

< Previous Next >
Re: [suse-security] compromised SuSE7.3?
>> If you think its not only paranoia thank check this url 4 forensic
>> analysis.

>Is it a question of paranoia? Are there no ways to ensure that the
>system is clean while keeping it alive?

You'll destroy attackers marks.

>In evidence.txt they checked
>the md5sums of the installed packages. Which database do they use as
>reference?

the original database of the attacked machine

rpm -V -a --root=`pwd`/mnt/ | grep ^..5

When I check all binaries as recently described, there is
>still the possibility, that the rpm-database is corrupted itself, isn't
>it?

Yep

>Or is the result, that the md5sums of all the binaries were ok
>sufficient to declare this system being clean?

Nope

--รถ--

But,Me meant the ways to examine yours system 4 attackes marks, e.g.
grabbing the whole drive via >dd /dev/hdX | grep "part of date" as shown
in the document. Read the whole doc to see all possibilities.

And examine the files as ps/ifconfig/lsof 2. E.g. you can use /proc to seek
suspicous processes, if not any kernel-modules are injected.

Michael Appeldorn




< Previous Next >
References