Re: RPM aware rootkits?
From: Jeff Hedgpeth (jeff.hedgpeth@edwardjones.com)Date: 02/14/02
- Previous message: Anton Chuvakin: "Re: RPM aware rootkits?"
- Maybe in reply to: Anton Chuvakin: "RPM aware rootkits?"
- Next in thread: Michael H. Warfield: "Re: RPM aware rootkits?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 14 Feb 2002 10:22:27 -0600 From: Jeff Hedgpeth <jeff.hedgpeth@edwardjones.com> To: focus-linux@securityfocus.com
if you just want to pass rpm verify, I believe you can just delete the
rpm db entry with something like 'rpm -e <pkgs> --justdb --nodeps'. the
pkg won't show as installed, but it shouldn't be corrupt either. I
haven't verified this, tho.
jeff
> Do you know any of the RPM-aware rootkits for Linux which will not be
> detected by "rpm --verify". I would prefer direct edit of /var/lib/rpm
> rather to trojaned rpm binary, but what the heck - whatever will do.
>
> I need to deploy something on Linux which will pass the "rpm -V", but will
> involve replacing some binaries. I can rebuild the stuff from source
> RPMs, recreate the package and then replace the stock RPM., but it is too
> messy (GPG sig will be different, but that will hopefully be OK for the
> honeypot).
- Previous message: Anton Chuvakin: "Re: RPM aware rootkits?"
- Maybe in reply to: Anton Chuvakin: "RPM aware rootkits?"
- Next in thread: Michael H. Warfield: "Re: RPM aware rootkits?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
