Site Navigation

Date:      Mon, 17 Dec 2001 08:25:54 -0500
From:      "David Rhodus" <sdrhodus@sekurity.net>
To:        "David Xu" <davidx@viasoft.com.cn>, "Christopher Schulte" <christopher@schulte.org>
Cc:        "Landon Stewart" <landons@uniserve.com>, <security@FreeBSD.ORG>
Subject:   Re: MD5 sum checking for installed binaries to check for  intrusion or root kits...
Message-ID:  <002a01c186fe$5af22b80$1506810a@asgidavid>
References:  <5.1.0.14.0.20011212004626.03242638@pop.schulte.org> <3C16FF8A.1050001@viasoft.com.cn>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

# Simple shell script for md5
# Stored format - Filename MD5HASH suidbit/sgidbit

echo "";

errormsg()
{
        echo "Incorrect parameters!";
        echo "Please use" $0 "create [hashfile] to create/update a table of
checksums or";
        echo $0 "check [hashfile] [current] to compare checksums.";
        echo "";
        exit
}

if [ -z $1 ]; then
        errormsg;

elif [ $1 = "create" ]; then
        if [ -z $2 ]; then
                errormsg;
        fi
        echo "Creating table of sums...";
        find / -name '*' -perm +4000 -o -perm +2000 -type f | xargs md5sum |
awk '// {printf($2 " " $1 " "); system("ls -la " $2 " | cut -c 4,7")};' >
.tmp123;
        find ~ /bin /sbin /usr/sbin -maxdepth 1 -type f | xargs md5sum | awk
'// {printf($2 " " $1 " "); system("ls -la " $2 " | cut -c 4,7")};' >>
.tmp123;
        cat .tmp123 | sort | uniq > $2;
        rm .tmp123;
        chmod 600 $2;
        echo "";
        echo "Finished compiling list.";
        echo "Hashed a total of"`cat $2 | wc --lines` "files!";

elif [ $1 = "check" ]; then
        if [ -z $2 ]; then
                errormsg;
        fi
        echo "Building current settings..."
        find / -name '*' -perm +4000 -o -perm +2000 -type f | xargs md5sum |
awk '// {printf($2 " " $1 " "); system("ls -la " $2 " | cut -c 4,7")};' >
.tmp123;
        find ~ /bin /sbin /usr/sbin -maxdepth 1 -type f | xargs md5sum | awk
'// {printf($2 " " $1 " "); system("ls -la " $2 " | cut -c 4,7")};' >>
.tmp123;
        cat .tmp123 | sort | uniq > .tmpf;
        rm .tmp123;
        echo "Comparing settings..."
        echo "*-- Checksum report --*" > .errreport;
        if [ `cat .tmpf | wc -l` -ne `cat $2 | wc -l` ]; then
                echo "Number of files do not match!" | tee --append
.errreport;
        fi
        if [ `cat .tmpf | awk '// {print $3}' | egrep "s|S" | wc -l` -ne
`cat $2 | awk '// {print $3}' | egrep "s|S" | wc -l` ]; then
                echo "Number of suid/sgid files do not match!" | tee --a
.errreport;
        fi
#       temp=`diff .tmpf $2`;
        if (diff .tmpf $2 > /dev/null) then
                echo "No differences found!";
                rm .tmpf .errreport;
                exit;
        fi;
        echo "Differences encountered! Outputting to stdout and mailing
user...";
        echo "" | tee -a .errreport;
        diff .tmpf $2 | tee -a .errreport;
        mail `whoami`@`hostname` < .errreport;
        rm .tmpf .errreport;

elif [ -n $1 ]; then
        errormsg;
fi;
----- Original Message -----
From: "David Xu" <davidx@viasoft.com.cn>
To: "Christopher Schulte" <christopher@schulte.org>
Cc: "Landon Stewart" <landons@uniserve.com>; <security@FreeBSD.ORG>
Sent: Wednesday, December 12, 2001 1:56 AM
Subject: Re: MD5 sum checking for installed binaries to check for intrusion
or root kits...


> Could we add  a 'sockstat -l' command to  /etc/security to check
> listening port,
>  this can prevent some backdoor from be installed.
> --
> David Xu
>
> Christopher Schulte wrote:
>
> > At 10:39 PM 12/11/2001 -0800, Landon Stewart wrote:
> >
> >> They could have done who knows what to whatever system(s) they wanted
> >> to.  Without someone saying "reformat the machines or reinstall"
> >> because thats the obvious answer, is there a way to check which files
> >> differ from the size they should be and have the correct MD5 sum than
> >> they should or is this asking too much?
> >
> >
> > With no point of reference on 'good state', there's not a lot that can
> > be done.  Your previous admins may have legitimately patched things,
> > installed non-standard binaries, or otherwise altered the system from
> > what you'd be able to use as a reference.
> >
> > Even if you could match md5sums, there's many other ways by which a
> > person could install a back door.  For example, something as simple as
> > an entry in inetd.conf which serves a root shell upon tcp port
> > connection would not show up in a binary-only md5 scan.
> >
> > Install tripwire (or some custom checksum monitoring system) from the
> > beginning of the OS install for best results.  I know, not too much
> > help now. :-(
> >
> > --
> > Christopher Schulte
> > christopher@schulte.org
> > http://noc.schulte.org/
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
> >
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002a01c186fe$5af22b80$1506810a>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact