From owner-freebsd-security Wed Dec 12 4: 5:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id 723D037B416 for ; Wed, 12 Dec 2001 04:05:35 -0800 (PST) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [192.168.11.2]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 5174F1DA7; Wed, 12 Dec 2001 13:05:26 +0100 (CET) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [127.0.0.1]) by velvet.zaraska.dhs.org (8.11.2/8.11.2) with SMTP id fBCC57C01325; Wed, 12 Dec 2001 13:05:07 +0100 Date: Wed, 12 Dec 2001 13:05:07 +0100 From: Krzysztof Zaraska To: freebsd-security@freebsd.org Subject: Fw: Re: MD5 sum checking for installed binaries to check for intrusion or root kits... Message-Id: <20011212130507.3a1849a1.kzaraska@student.uci.agh.edu.pl> Organization: University Of Mining And Metallurgy X-Mailer: Sylpheed version 0.6.2 (GTK+ 1.2.10; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 11 Dec 2001 22:39:08 -0800 Landon Stewart wrote: > A while ago (a few months) recently several administrators were let go, > but were left to their own devices in the NOC until late that night. > (Don't ask me why because I couldn't tell ya!) I have not noticed any > strange happenings on any of the systems. I'd like to note that they could also add extra "features" much earlier... > They could have done who knows what to whatever system(s) they wanted > to. Without someone saying "reformat the machines or reinstall" because > thats the obvious answer, is there a way to check which files differ > from the size they should be and have the correct MD5 sum than they > should or is this asking too much? Well I thought about this problem once (though I ended up in moving data to other machine in that case), but _theoretically_... If they are -RELEASE machines you could take install CD for appropriate version and compare binaries on the system with those on the CD. IMVHO they shouldn't differ. Configuration files will have to be analyzed by hand, of course. If a system in question was cvsup'ed and built from sources there is not much that can be done, unfortunately. Binaries installed from ports/packages can be treated the same way, but you'd have to get _exactly_ the same version-revision-patchlevel of each package in question, what may not be possible. pkg_add puts some md5 checksums under /var/db/pkg/ but these are not reliable (if someone could trojan a binary s/he could also modify the database) but you could look for inconsistencies. I would anyhow audit configuration files in first place. Next _theoretically_ a binary update/reinstall (without touching the configuration files) from a trusted source should remove trojaned binaries in base system. I would boot from install floppy (to avoid trojaned kernel etc.) and did a binary upgrade (even to the same version). As I said at the beginnig, this is a _purely theoretical_ discussion. I'm not making any claims that these methods will work. Regards, Krzysztof To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message