From owner-freebsd-security  Tue Dec 11 23: 1:47 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mail.viasoft.com.cn (unknown [61.153.1.177])
	by hub.freebsd.org (Postfix) with ESMTP id 0022837B419
	for <security@FreeBSD.ORG>; Tue, 11 Dec 2001 23:01:43 -0800 (PST)
Received: from viasoft.com.cn (davidwnt.viasoft.com.cn [192.168.1.239])
	by mail.viasoft.com.cn (8.9.3/8.9.3) with ESMTP id PAA00573;
	Wed, 12 Dec 2001 15:09:04 +0800
Message-ID: <3C16FF8A.1050001@viasoft.com.cn>
Date: Wed, 12 Dec 2001 14:56:10 +0800
From: David Xu <davidx@viasoft.com.cn>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.4) Gecko/20011019 Netscape6/6.2
X-Accept-Language: en-us
MIME-Version: 1.0
To: Christopher Schulte <christopher@schulte.org>
Cc: Landon Stewart <landons@uniserve.com>, security@FreeBSD.ORG
Subject: Re: MD5 sum checking for installed binaries to check for  intrusion or root kits...
References: <5.1.0.14.0.20011212004626.03242638@pop.schulte.org>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Could we add  a 'sockstat -l' command to  /etc/security to check 
listening port,
 this can prevent some backdoor from be installed.
--
David Xu

Christopher Schulte wrote:

> At 10:39 PM 12/11/2001 -0800, Landon Stewart wrote:
>
>> They could have done who knows what to whatever system(s) they wanted 
>> to.  Without someone saying "reformat the machines or reinstall" 
>> because thats the obvious answer, is there a way to check which files 
>> differ from the size they should be and have the correct MD5 sum than 
>> they should or is this asking too much?
>
>
> With no point of reference on 'good state', there's not a lot that can 
> be done.  Your previous admins may have legitimately patched things, 
> installed non-standard binaries, or otherwise altered the system from 
> what you'd be able to use as a reference.
>
> Even if you could match md5sums, there's many other ways by which a 
> person could install a back door.  For example, something as simple as 
> an entry in inetd.conf which serves a root shell upon tcp port 
> connection would not show up in a binary-only md5 scan.
>
> Install tripwire (or some custom checksum monitoring system) from the 
> beginning of the OS install for best results.  I know, not too much 
> help now. :-(
>
> -- 
> Christopher Schulte
> christopher@schulte.org
> http://noc.schulte.org/
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message