Date: Mon, 17 Dec 2001 14:39:35 -0500 From: "Jim Flowers" <jflowers@ezo.net> To: "David Rhodus" <sdrhodus@sekurity.net> Cc: <security@FreeBSD.ORG> Subject: Re: MD5 sum checking for installed binaries to check for intrusion or root kits... Message-ID: <003d01c18732$9003b080$22b197ce@ezo.net> References: <5.1.0.14.0.20011212004626.03242638@pop.schulte.org> <3C16FF8A.1050001@viasoft.com.cn> <002a01c186fe$5af22b80$1506810a@asgidavid>
next in thread | previous in thread | raw e-mail | index | archive | help
I've been looking for something like this to implement over ipsec and NFS
but am currently choking on the script. I suspect it is because the
`md5sum' xargs utility returns the arguments that the awk program expects
and my attempt to use /sbin/md5 does not.
Can you confirm and will you share md5sum, as well?
Thanks
----- Original Message -----
From: "David Rhodus" <sdrhodus@sekurity.net>
To: "David Xu" <davidx@viasoft.com.cn>; "Christopher Schulte"
<christopher@schulte.org>
Cc: "Landon Stewart" <landons@uniserve.com>; <security@FreeBSD.ORG>
Sent: Monday, December 17, 2001 8:25 AM
Subject: Re: MD5 sum checking for installed binaries to check for intrusion
or root kits...
> # Simple shell script for md5
> # Stored format - Filename MD5HASH suidbit/sgidbit
>
> echo "";
>
> errormsg()
> {
> echo "Incorrect parameters!";
> echo "Please use" $0 "create [hashfile] to create/update a table
of
> checksums or";
> echo $0 "check [hashfile] [current] to compare checksums.";
> echo "";
> exit
> }
>
> if [ -z $1 ]; then
> errormsg;
>
> elif [ $1 = "create" ]; then
> if [ -z $2 ]; then
> errormsg;
> fi
> echo "Creating table of sums...";
> find / -name '*' -perm +4000 -o -perm +2000 -type f | xargs md5sum
|
> awk '// {printf($2 " " $1 " "); system("ls -la " $2 " | cut -c 4,7")};' >
> .tmp123;
> find ~ /bin /sbin /usr/sbin -maxdepth 1 -type f | xargs md5sum |
awk
> '// {printf($2 " " $1 " "); system("ls -la " $2 " | cut -c 4,7")};' >>
> .tmp123;
> cat .tmp123 | sort | uniq > $2;
> rm .tmp123;
> chmod 600 $2;
> echo "";
> echo "Finished compiling list.";
> echo "Hashed a total of"`cat $2 | wc --lines` "files!";
>
> elif [ $1 = "check" ]; then
> if [ -z $2 ]; then
> errormsg;
> fi
> echo "Building current settings..."
> find / -name '*' -perm +4000 -o -perm +2000 -type f | xargs md5sum
|
> awk '// {printf($2 " " $1 " "); system("ls -la " $2 " | cut -c 4,7")};' >
> .tmp123;
> find ~ /bin /sbin /usr/sbin -maxdepth 1 -type f | xargs md5sum |
awk
> '// {printf($2 " " $1 " "); system("ls -la " $2 " | cut -c 4,7")};' >>
> .tmp123;
> cat .tmp123 | sort | uniq > .tmpf;
> rm .tmp123;
> echo "Comparing settings..."
> echo "*-- Checksum report --*" > .errreport;
> if [ `cat .tmpf | wc -l` -ne `cat $2 | wc -l` ]; then
> echo "Number of files do not match!" | tee --append
> .errreport;
> fi
> if [ `cat .tmpf | awk '// {print $3}' | egrep "s|S" | wc -l` -ne
> `cat $2 | awk '// {print $3}' | egrep "s|S" | wc -l` ]; then
> echo "Number of suid/sgid files do not match!" | tee --a
> .errreport;
> fi
> # temp=`diff .tmpf $2`;
> if (diff .tmpf $2 > /dev/null) then
> echo "No differences found!";
> rm .tmpf .errreport;
> exit;
> fi;
> echo "Differences encountered! Outputting to stdout and mailing
> user...";
> echo "" | tee -a .errreport;
> diff .tmpf $2 | tee -a .errreport;
> mail `whoami`@`hostname` < .errreport;
> rm .tmpf .errreport;
>
> elif [ -n $1 ]; then
> errormsg;
> fi;
> ----- Original Message -----
> From: "David Xu" <davidx@viasoft.com.cn>
> To: "Christopher Schulte" <christopher@schulte.org>
> Cc: "Landon Stewart" <landons@uniserve.com>; <security@FreeBSD.ORG>
> Sent: Wednesday, December 12, 2001 1:56 AM
> Subject: Re: MD5 sum checking for installed binaries to check for
intrusion
> or root kits...
>
>
> > Could we add a 'sockstat -l' command to /etc/security to check
> > listening port,
> > this can prevent some backdoor from be installed.
> > --
> > David Xu
> >
> > Christopher Schulte wrote:
> >
> > > At 10:39 PM 12/11/2001 -0800, Landon Stewart wrote:
> > >
> > >> They could have done who knows what to whatever system(s) they wanted
> > >> to. Without someone saying "reformat the machines or reinstall"
> > >> because thats the obvious answer, is there a way to check which files
> > >> differ from the size they should be and have the correct MD5 sum than
> > >> they should or is this asking too much?
> > >
> > >
> > > With no point of reference on 'good state', there's not a lot that can
> > > be done. Your previous admins may have legitimately patched things,
> > > installed non-standard binaries, or otherwise altered the system from
> > > what you'd be able to use as a reference.
> > >
> > > Even if you could match md5sums, there's many other ways by which a
> > > person could install a back door. For example, something as simple as
> > > an entry in inetd.conf which serves a root shell upon tcp port
> > > connection would not show up in a binary-only md5 scan.
> > >
> > > Install tripwire (or some custom checksum monitoring system) from the
> > > beginning of the OS install for best results. I know, not too much
> > > help now. :-(
> > >
> > > --
> > > Christopher Schulte
> > > christopher@schulte.org
> > > http://noc.schulte.org/
> > >
> > >
> > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > with "unsubscribe freebsd-security" in the body of the message
> > >
> >
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003d01c18732$9003b080$22b197ce>