[UFO Chicago] Sad crashing of Linux server
Nick Moffitt
nick@zork.net
Fri, 2 Aug 2002 12:57:55 -0700
begin Jesse Becker quotation:
> Check /etc/passwd for bogus accounts, and run tripwire or AIDE if
> you have it. I don't know if debian lets you verify packages like
> rpm does, but I'd check those as well if you can.
You don't just "run tripwire", and if you've been keeping an offsite
checksum list with it, you'll know what to do with that.
If a box was compromised, "verifying packages like rpm does" is
useless, since they check against an on-disk daturbase that could
easily have been compromised as well.
Your best bet is to compile a statically-linked busybox against
uclibc, and then shuttle it over to use as a pristine set of tools.
--
Jack Valenti is to the American film viewer and the American public
as the Boston strangler is to the woman home alone.
-- http://cryptome.org/hrcw-hear.htm (search for "Boston")