Re: RPM aware rootkits?
From: jon schatz (jon@divisionbyzero.com)Date: 02/14/02
- Previous message: Seth Arnold: "Re: RPM aware rootkits?"
- In reply to: Anton Chuvakin: "Re: RPM aware rootkits?"
- Next in thread: Chris Green: "Re: RPM aware rootkits?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: jon schatz <jon@divisionbyzero.com> To: Anton Chuvakin <anton@chuvakin.org> Date: 13 Feb 2002 15:39:31 -0800
On Wed, 2002-02-13 at 14:56, Anton Chuvakin wrote:
> Hmm, that was the point of my question, to some extent. How would an
> attacker (possesing the md5sums for valid packages and md5sumes for hacked
> packages) go about updating the rpm database to pass the ? Are there any
> tools (in rootkits or elsewhere) to accomplish it?
well, why not just create new rootkit rpms? perhaps with the same
version string even? the `rpm --force --nodeps -ivh` the package.
anyone doing a rpm -Va would see everything as being fine, unless some
tripwire-esque filesystem check was used.
-jon
-- jon@divisionbyzero.com || www.divisionbyzero.com gpg key: www.divisionbyzero.com/pubkey.asc think i have a virus?: www.divisionbyzero.com/pgp.html "You are in a twisty little maze of Sendmail rules, all confusing."
- application/pgp-signature attachment: This is a digitally signed message part
- Previous message: Seth Arnold: "Re: RPM aware rootkits?"
- In reply to: Anton Chuvakin: "Re: RPM aware rootkits?"
- Next in thread: Chris Green: "Re: RPM aware rootkits?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
