Date: Tue, 10 Feb 2004 14:04:48 -0600 From: Dan Nelson <dnelson@allantgroup.com> To: Jerry McAllister <jerrymc@clunix.cl.msu.edu> Cc: questions@freebsd.org Subject: Re: checking checksums on binaries and checking for rootkits Message-ID: <20040210200448.GB44504@dan.emsphone.com> In-Reply-To: <200402101926.i1AJQVQ07757@clunix.cl.msu.edu> References: <34605.207.5.142.198.1076441813.squirrel@new.host.name> <200402101926.i1AJQVQ07757@clunix.cl.msu.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Feb 10), Jerry McAllister said: > > hello, im using FBSD 4.9 ... IS there a way to check the checksum > > on binairies like "ls , ps" etc.. to check for rootkits ? > > > > On Solaris you can run md5 on a binary and compare it against a > > utility on SUNS website that will cehck the finger print to see > > whether the binary is part of a rootkit or the original binary. > > Does Freebsd have a tool like this ? > > The checksums are available for the ISOs on the FreeBSd site in the > same directory as the ISOs. > > As for individual routines, I don't know. mtree is great for this. Run "mtree -k sha1digest,time,size -c -p /etc", save the output to a secure location, and run "mtree -p /etc < mtree.txt" later to verify timestamps and checksums. Although it's mainly for self-verification. I suppose you could run it against the live cdrom. -- Dan Nelson dnelson@allantgroup.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040210200448.GB44504>