On Fri, 2 Feb 2007, Alan wrote:
On Fri, 2 Feb 2007 10:59:57 -0500 (EST)
"Steven W. Orr" <steveo@xxxxxxxxxxx> wrote:
I read this thread and I have a question on why this problem is not
handled in a more direct approach instead of the blood&guts reload
approach: If you simply reinstall the rpm package (something like)
rpm --replacepkgs -vh rpm-4.4.1-22.i386.rpm
then you know that the binaries are good. From there all you have to do is
Because a good rootkit will trojan rpm to ensure that the above merely
reports it is ok and that
rpm -Va
lies. A really good one does it via patching the kernel so the rpm binary
off CD isn't sufficient either, you need to boot off a trusted source (eg
a rescue CD, and run the rpm off the rescue cd to replace the kernel,
libraries, you name it). Or its easier to shove the disk into another box
and work on it.
I actually encountered one rootkit that patched the RPM database. I found
it because it patched the rpm database -- using the wrong version of the
db libraries. Doh!
--
"Invoking the supernatural can explain anything, and hence explains nothing."
- University of Utah bioengineering professor Gregory Clark
