What to do when rpm verification fails
Andras Simon
szajmi at gmail.com
Fri Jul 7 18:10:56 UTC 2006
On 7/7/06, Frank Elsner <Elsner at zrz.tu-berlin.de> wrote:
>
> Oh YES.
>
> You'be been hacked. Recheck with "chkrootkit".
Thanks for the suggestion. I ran chkrootkit, and it was all not
found/not infected/no suspect files. But there're just too many
suspicious files
such as
S.?..... /usr/sbin/lpasswd
S.?..... /usr/sbin/luseradd
S.?..... /usr/sbin/luserdel
S.?..... /usr/sbin/lusermod
...
to believe it was a simple rpm database corruption.
>
> Disconnect from net and re-install.
I'll do a reinstall, but I'd love to know where's the hole first,
otherwise there's nothing to save me from the same thing happening
again. Not that I know where to look... The usual suspects (portmap,
sendmail, etc.) are not running, and I thought my firewall rules were
pretty strict (who doesn't? :-)), iptables -L says
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpts:0:1023
DROP udp -- anywhere anywhere udp dpts:0:1023
DROP tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,ACK/SYN
DROP icmp -- anywhere anywhere icmp echo-request
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (0 references)
[there's more here, but hopefully, 0 references means that they're irrelevant]
Andras
>
>
> --Frank Elsner
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>
More information about the users
mailing list