From owner-freebsd-security Mon Dec 17 5:37:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from sekurity.net (spider.wildcatblue.com [206.157.147.19]) by hub.freebsd.org (Postfix) with SMTP id AE49737B41E for ; Mon, 17 Dec 2001 05:37:44 -0800 (PST) Received: from asgidavid ([208.32.50.91]) by sekurity.net ; Mon, 17 Dec 2001 09:45:14 -3736632 Message-ID: <002a01c186fe$5af22b80$1506810a@asgidavid> From: "David Rhodus" To: "David Xu" , "Christopher Schulte" Cc: "Landon Stewart" , References: <5.1.0.14.0.20011212004626.03242638@pop.schulte.org> <3C16FF8A.1050001@viasoft.com.cn> Subject: Re: MD5 sum checking for installed binaries to check for intrusion or root kits... Date: Mon, 17 Dec 2001 08:25:54 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2526.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2526.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org # Simple shell script for md5 # Stored format - Filename MD5HASH suidbit/sgidbit echo ""; errormsg() { echo "Incorrect parameters!"; echo "Please use" $0 "create [hashfile] to create/update a table of checksums or"; echo $0 "check [hashfile] [current] to compare checksums."; echo ""; exit } if [ -z $1 ]; then errormsg; elif [ $1 = "create" ]; then if [ -z $2 ]; then errormsg; fi echo "Creating table of sums..."; find / -name '*' -perm +4000 -o -perm +2000 -type f | xargs md5sum | awk '// {printf($2 " " $1 " "); system("ls -la " $2 " | cut -c 4,7")};' > .tmp123; find ~ /bin /sbin /usr/sbin -maxdepth 1 -type f | xargs md5sum | awk '// {printf($2 " " $1 " "); system("ls -la " $2 " | cut -c 4,7")};' >> .tmp123; cat .tmp123 | sort | uniq > $2; rm .tmp123; chmod 600 $2; echo ""; echo "Finished compiling list."; echo "Hashed a total of"`cat $2 | wc --lines` "files!"; elif [ $1 = "check" ]; then if [ -z $2 ]; then errormsg; fi echo "Building current settings..." find / -name '*' -perm +4000 -o -perm +2000 -type f | xargs md5sum | awk '// {printf($2 " " $1 " "); system("ls -la " $2 " | cut -c 4,7")};' > .tmp123; find ~ /bin /sbin /usr/sbin -maxdepth 1 -type f | xargs md5sum | awk '// {printf($2 " " $1 " "); system("ls -la " $2 " | cut -c 4,7")};' >> .tmp123; cat .tmp123 | sort | uniq > .tmpf; rm .tmp123; echo "Comparing settings..." echo "*-- Checksum report --*" > .errreport; if [ `cat .tmpf | wc -l` -ne `cat $2 | wc -l` ]; then echo "Number of files do not match!" | tee --append .errreport; fi if [ `cat .tmpf | awk '// {print $3}' | egrep "s|S" | wc -l` -ne `cat $2 | awk '// {print $3}' | egrep "s|S" | wc -l` ]; then echo "Number of suid/sgid files do not match!" | tee --a .errreport; fi # temp=`diff .tmpf $2`; if (diff .tmpf $2 > /dev/null) then echo "No differences found!"; rm .tmpf .errreport; exit; fi; echo "Differences encountered! Outputting to stdout and mailing user..."; echo "" | tee -a .errreport; diff .tmpf $2 | tee -a .errreport; mail `whoami`@`hostname` < .errreport; rm .tmpf .errreport; elif [ -n $1 ]; then errormsg; fi; ----- Original Message ----- From: "David Xu" To: "Christopher Schulte" Cc: "Landon Stewart" ; Sent: Wednesday, December 12, 2001 1:56 AM Subject: Re: MD5 sum checking for installed binaries to check for intrusion or root kits... > Could we add a 'sockstat -l' command to /etc/security to check > listening port, > this can prevent some backdoor from be installed. > -- > David Xu > > Christopher Schulte wrote: > > > At 10:39 PM 12/11/2001 -0800, Landon Stewart wrote: > > > >> They could have done who knows what to whatever system(s) they wanted > >> to. Without someone saying "reformat the machines or reinstall" > >> because thats the obvious answer, is there a way to check which files > >> differ from the size they should be and have the correct MD5 sum than > >> they should or is this asking too much? > > > > > > With no point of reference on 'good state', there's not a lot that can > > be done. Your previous admins may have legitimately patched things, > > installed non-standard binaries, or otherwise altered the system from > > what you'd be able to use as a reference. > > > > Even if you could match md5sums, there's many other ways by which a > > person could install a back door. For example, something as simple as > > an entry in inetd.conf which serves a root shell upon tcp port > > connection would not show up in a binary-only md5 scan. > > > > Install tripwire (or some custom checksum monitoring system) from the > > beginning of the OS install for best results. I know, not too much > > help now. :-( > > > > -- > > Christopher Schulte > > christopher@schulte.org > > http://noc.schulte.org/ > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message