[Nottingham] Has my server been intruded or am I paranoid?
Mark O'Shea
mark at musicalstoat.co.uk
Mon Nov 17 02:27:51 UTC 2008
On Sun, Nov 16, 2008 at 06:25:02PM +0000, Graeme Fowler wrote:
> If you were using an RPM based distro, you could do "rpm -Vf /bin/ps" to
> see if the various attributes have changed since installation. I've no
> idea how to do that using apt, though.
>
Unfortunately dpkg (in debian s/rpm/dpkg/ s/yum/apt/ roughly speaking
for those that aren't bilingual) doesn't do this straight off. The
information isn't recorded in the dpkg database per the file lengths,
permissions, md5 sum etc. The debsums package may help with the md5
sums and you could compare to the original package to what you have
using a script, but nothing quite as easy (unless anyone else has any
insight).
And:
On Sun, Nov 16, 2008 at 06:36:40PM +0000, Danny King wrote:
> I do upgrade fairly regularly although I updates rkhunter before the
> scan too.
I don't think just upgrading the rkhunter package would have necessarily
updated the rkhunter database to record the current system information
(nor would you want it to). It should still have the older information,
which might have changed if you updated packages containing files that
you mention.
Regards
--
Mark
More information about the Nottingham
mailing list