On Tue, 17 Nov 1998, Alex P. Rudnev wrote:
And one more thing. I am not Linux specialist, but I see a resious problem because this compromised servers are usially troyaned by the 'Linux Root Kit' hidding all hacker's activity. If anyone have some tools to detect this rootkit (it include more than 200 files changed in the system), point it, please - all my attempts to contact RedHat and other Linux developers caused nothing.
Systems using RPM-based package management (Redhat and most other distributions) can use the verify function to check their system's files vs. what was installed. The command to check the entire system is 'rpm -V -a'. The output looks something like: S.5....T c /etc/exports S.5....T c /etc/hosts.allow S.5....T c /etc/motd Periods (.) mean the test passed, otherwise you'll get a fail flag.. 5: MD5 checksum S: file size L: symlink T: mtime D: device U: user G: group M: file modes A 'c' between the flags and the filename indicates that this is a configuration file (and as such commonly modified). More information should be in the rpm manpage. Hope this info helps. -- Greg <a href="mailto:greg@rage.net">|\/\/| Greg Retkowski |\/\/|</a><br> <a href="http://www.rage.net/">|/\/\|"Save the Factories"|/\/\|</a><br>