Date: Mon, 17 Dec 2001 14:39:35 -0500 From: "Jim Flowers" <jflowers@ezo.net> To: "David Rhodus" <sdrhodus@sekurity.net> Cc: <security@FreeBSD.ORG> Subject: Re: MD5 sum checking for installed binaries to check for intrusion or root kits... Message-ID: <003d01c18732$9003b080$22b197ce@ezo.net> References: <5.1.0.14.0.20011212004626.03242638@pop.schulte.org> <3C16FF8A.1050001@viasoft.com.cn> <002a01c186fe$5af22b80$1506810a@asgidavid>
next in thread | previous in thread | raw e-mail | index | archive | help
I've been looking for something like this to implement over ipsec and NFS but am currently choking on the script. I suspect it is because the `md5sum' xargs utility returns the arguments that the awk program expects and my attempt to use /sbin/md5 does not. Can you confirm and will you share md5sum, as well? Thanks ----- Original Message ----- From: "David Rhodus" <sdrhodus@sekurity.net> To: "David Xu" <davidx@viasoft.com.cn>; "Christopher Schulte" <christopher@schulte.org> Cc: "Landon Stewart" <landons@uniserve.com>; <security@FreeBSD.ORG> Sent: Monday, December 17, 2001 8:25 AM Subject: Re: MD5 sum checking for installed binaries to check for intrusion or root kits... > # Simple shell script for md5 > # Stored format - Filename MD5HASH suidbit/sgidbit > > echo ""; > > errormsg() > { > echo "Incorrect parameters!"; > echo "Please use" $0 "create [hashfile] to create/update a table of > checksums or"; > echo $0 "check [hashfile] [current] to compare checksums."; > echo ""; > exit > } > > if [ -z $1 ]; then > errormsg; > > elif [ $1 = "create" ]; then > if [ -z $2 ]; then > errormsg; > fi > echo "Creating table of sums..."; > find / -name '*' -perm +4000 -o -perm +2000 -type f | xargs md5sum | > awk '// {printf($2 " " $1 " "); system("ls -la " $2 " | cut -c 4,7")};' > > .tmp123; > find ~ /bin /sbin /usr/sbin -maxdepth 1 -type f | xargs md5sum | awk > '// {printf($2 " " $1 " "); system("ls -la " $2 " | cut -c 4,7")};' >> > .tmp123; > cat .tmp123 | sort | uniq > $2; > rm .tmp123; > chmod 600 $2; > echo ""; > echo "Finished compiling list."; > echo "Hashed a total of"`cat $2 | wc --lines` "files!"; > > elif [ $1 = "check" ]; then > if [ -z $2 ]; then > errormsg; > fi > echo "Building current settings..." > find / -name '*' -perm +4000 -o -perm +2000 -type f | xargs md5sum | > awk '// {printf($2 " " $1 " "); system("ls -la " $2 " | cut -c 4,7")};' > > .tmp123; > find ~ /bin /sbin /usr/sbin -maxdepth 1 -type f | xargs md5sum | awk > '// {printf($2 " " $1 " "); system("ls -la " $2 " | cut -c 4,7")};' >> > .tmp123; > cat .tmp123 | sort | uniq > .tmpf; > rm .tmp123; > echo "Comparing settings..." > echo "*-- Checksum report --*" > .errreport; > if [ `cat .tmpf | wc -l` -ne `cat $2 | wc -l` ]; then > echo "Number of files do not match!" | tee --append > .errreport; > fi > if [ `cat .tmpf | awk '// {print $3}' | egrep "s|S" | wc -l` -ne > `cat $2 | awk '// {print $3}' | egrep "s|S" | wc -l` ]; then > echo "Number of suid/sgid files do not match!" | tee --a > .errreport; > fi > # temp=`diff .tmpf $2`; > if (diff .tmpf $2 > /dev/null) then > echo "No differences found!"; > rm .tmpf .errreport; > exit; > fi; > echo "Differences encountered! Outputting to stdout and mailing > user..."; > echo "" | tee -a .errreport; > diff .tmpf $2 | tee -a .errreport; > mail `whoami`@`hostname` < .errreport; > rm .tmpf .errreport; > > elif [ -n $1 ]; then > errormsg; > fi; > ----- Original Message ----- > From: "David Xu" <davidx@viasoft.com.cn> > To: "Christopher Schulte" <christopher@schulte.org> > Cc: "Landon Stewart" <landons@uniserve.com>; <security@FreeBSD.ORG> > Sent: Wednesday, December 12, 2001 1:56 AM > Subject: Re: MD5 sum checking for installed binaries to check for intrusion > or root kits... > > > > Could we add a 'sockstat -l' command to /etc/security to check > > listening port, > > this can prevent some backdoor from be installed. > > -- > > David Xu > > > > Christopher Schulte wrote: > > > > > At 10:39 PM 12/11/2001 -0800, Landon Stewart wrote: > > > > > >> They could have done who knows what to whatever system(s) they wanted > > >> to. Without someone saying "reformat the machines or reinstall" > > >> because thats the obvious answer, is there a way to check which files > > >> differ from the size they should be and have the correct MD5 sum than > > >> they should or is this asking too much? > > > > > > > > > With no point of reference on 'good state', there's not a lot that can > > > be done. Your previous admins may have legitimately patched things, > > > installed non-standard binaries, or otherwise altered the system from > > > what you'd be able to use as a reference. > > > > > > Even if you could match md5sums, there's many other ways by which a > > > person could install a back door. For example, something as simple as > > > an entry in inetd.conf which serves a root shell upon tcp port > > > connection would not show up in a binary-only md5 scan. > > > > > > Install tripwire (or some custom checksum monitoring system) from the > > > beginning of the OS install for best results. I know, not too much > > > help now. :-( > > > > > > -- > > > Christopher Schulte > > > christopher@schulte.org > > > http://noc.schulte.org/ > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003d01c18732$9003b080$22b197ce>