It's completely invisible, as long as you're blind.
The timestamp, permissions and owner are the same as the rest of the associated files (this infection isn't stupid). I'm sure you could use your x-ray vision to see that it's been replaced by a malicious copy. Please share your expertise with the rest of us.
rpm -V also checks the MD5 sum of the file - if it's been modified, it should flag a difference in checksums, even if every other bit of metadata is the same.
That said, it's quite easy to believe that lots of people aren't running "rpm -V httpd" regularly on their Linux servers, so all the people responding "DUH, NOOBZ" just sound like dicks. Next time, they should probably try showing off their deep knowledge of rpm by helpfully suggesting "rpm -V will find this, and you should be running this on all your
by Anonymous Coward writes:
on Monday April 29, 2013 @02:34PM (#43583335)
TFA actually says that "rpm -V" (or debsums or whatever) doesn't detect it because the vulnerable software is not installed through the package manager, and so is not present in the package database. It's still a modified executable, so tripwire or another host-based intrusion detection system will see it, if it's configured to monitor stuff in/usr/local.
Wow (Score:5, Insightful)
"other than a modified 'httpd' file,"
It's completely invisible, as long as you're blind.
Re: (Score:0)
"other than a modified 'httpd' file,"
It's completely invisible, as long as you're blind.
The timestamp, permissions and owner are the same as the rest of the associated files (this infection isn't stupid). I'm sure you could use your x-ray vision to see that it's been replaced by a malicious copy. Please share your expertise with the rest of us.
Re: (Score:3)
rpm -V also checks the MD5 sum of the file - if it's been modified, it should flag a difference in checksums, even if every other bit of metadata is the same.
That said, it's quite easy to believe that lots of people aren't running "rpm -V httpd" regularly on their Linux servers, so all the people responding "DUH, NOOBZ" just sound like dicks. Next time, they should probably try showing off their deep knowledge of rpm by helpfully suggesting "rpm -V will find this, and you should be running this on all your
You are the noob (Score:2)
Re:You are the noob (Score:0)
TFA actually says that "rpm -V" (or debsums or whatever) doesn't detect it because the vulnerable software is not installed through the package manager, and so is not present in the package database. It's still a modified executable, so tripwire or another host-based intrusion detection system will see it, if it's configured to monitor stuff in /usr/local.