[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [OT?] Replacing hacked binaries

Hi Andreas,

> > Whether or not this is a desirable feature to have in Debian, I don't know.
> > But I do think it should be said that even though this method isn't for just
> > anyone, it IS possible to clean up a compromised machine without having to
> > wipe it out...

> I did exactly what you discribed here. Ronald (rb@debian.org) hacked a three
> line perl script that compared all availabel MD5 sums with the installed
> files fully automatical and within minutes. It did not take hours.

The 'hours' would not be the time it takes to verify the MD5 sums, but the
time it takes to go over all of the files whose MD5 sums don't match the
original values. :)  The rpm database includes MD5 sums for conffiles as well,
and many of these files may have been changed -- so of course they should all
be examined by the administrator.

Steve Langasek
postmodern programmer

Reply to: