From owner-freebsd-security  Tue Dec 11 22:56: 1 2001
Delivered-To: freebsd-security@freebsd.org
Received: from poontang.schulte.org (poontang.schulte.org [209.134.156.197])
	by hub.freebsd.org (Postfix) with ESMTP id 8D27537B405
	for <security@FreeBSD.ORG>; Tue, 11 Dec 2001 22:55:58 -0800 (PST)
Received: from tarmap.schulte.org (tarmap.schulte.org [209.134.156.198])
	by poontang.schulte.org (Postfix) with ESMTP
	id 56B83D160D; Wed, 12 Dec 2001 00:55:57 -0600 (CST)
Message-Id: <5.1.0.14.0.20011212004626.03242638@pop.schulte.org>
X-Sender: schulte@pop.schulte.org
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Wed, 12 Dec 2001 00:55:56 -0600
To: Landon Stewart <landons@uniserve.com>, security@FreeBSD.ORG
From: Christopher Schulte <christopher@schulte.org>
Subject: Re: MD5 sum checking for installed binaries to check for
  intrusion or root kits...
In-Reply-To: <3C16FB8C.9020908@uniserve.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

At 10:39 PM 12/11/2001 -0800, Landon Stewart wrote:
>They could have done who knows what to whatever system(s) they wanted 
>to.  Without someone saying "reformat the machines or reinstall" because 
>thats the obvious answer, is there a way to check which files differ from 
>the size they should be and have the correct MD5 sum than they should or 
>is this asking too much?

With no point of reference on 'good state', there's not a lot that can be 
done.  Your previous admins may have legitimately patched things, installed 
non-standard binaries, or otherwise altered the system from what you'd be 
able to use as a reference.

Even if you could match md5sums, there's many other ways by which a person 
could install a back door.  For example, something as simple as an entry in 
inetd.conf which serves a root shell upon tcp port connection would not 
show up in a binary-only md5 scan.

Install tripwire (or some custom checksum monitoring system) from the 
beginning of the OS install for best results.  I know, not too much help 
now. :-(

--
Christopher Schulte
christopher@schulte.org
http://noc.schulte.org/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message