'rpm -V' can be misleading, if taking into account of prelink on Redhat/Centos Boxes which is running through cron by default. I've shown the steps on reverse the effect of prelink at the comments sections at link https://isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229?storyid=15229. I'm afraid that 'rpm -V' only will make big noises or false alarms.
But in general, maybe it is a good time to turn off prelink, or more aggressively, remove prelink packages from Centos 5/6? the prelink is said to bring some performance boost, but who really cares in the era of tens of CPUs? nowadays and later on we are -- and will -- more concerned on security threats instead of 3~5 percents CPU/performance gain, right?
________________________________
From: Leon Fauster <leonfauster@xxxxxxxxxxxxxx>
To: CentOS mailing list <centos@xxxxxxxxxx>
Sent: Saturday, February 23, 2013 3:14 AM
Subject: Re: SSHD rootkit in the wild/compromise for CentOS 5/6?
Am 23.02.2013 um 05:52 schrieb Karanbir Singh <mail-lists@xxxxxxxxx>:
> On 02/22/2013 09:35 PM, Leon Fauster wrote:
>> i use following script to scan top level
>> directories for files that are not packaged:
>
> If you trust your rpm-db, ...
i used to scan this list
rpm -qa --qf '%{NAME}-%{SIGGPG:pgpsig}-%{SIGPGP:pgpsig}-%{VENDOR}\n'
and checked them against keys that are _not_ in /etc/pki/rpm-gpg/.
Just as a normal sanity check (plus rpm -V).
i aware that this does not substitute a real auditing solution.
--
LF
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
