Site Navigation

Date:      Mon, 17 Dec 2001 12:48:14 -0700 (MST)
From:      David G Andersen <danderse@cs.utah.edu>
To:        jflowers@ezo.net (Jim Flowers)
Cc:        sdrhodus@sekurity.net (David Rhodus), security@FreeBSD.ORG
Subject:   Re: MD5 sum checking for installed binaries to check for  intrusion or root kits...
Message-ID:  <200112171948.fBHJmEc26259@faith.cs.utah.edu>
In-Reply-To: <003d01c18732$9003b080$22b197ce@ezo.net> from "Jim Flowers" at Dec 17, 2001 02:39:35 PM

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

md5sum is simply the linux version of the utility.

Use 'md5 -r' to get output identical to that of md5sum.

  -Dave

Lo and behold, Jim Flowers once said:
> 
> I've been looking for something like this to implement over ipsec and NFS
> but am currently choking on the script.  I suspect it is because the
> `md5sum' xargs utility returns the arguments that the awk program expects
> and my attempt to use /sbin/md5 does not.
> 
> Can you confirm and will you share md5sum, as well?
> 
> Thanks
> 
> ----- Original Message -----
> From: "David Rhodus" <sdrhodus@sekurity.net>
> To: "David Xu" <davidx@viasoft.com.cn>; "Christopher Schulte"
> <christopher@schulte.org>
> Cc: "Landon Stewart" <landons@uniserve.com>; <security@FreeBSD.ORG>
> Sent: Monday, December 17, 2001 8:25 AM
> Subject: Re: MD5 sum checking for installed binaries to check for intrusion
> or root kits...
> 
> 
> > # Simple shell script for md5
> > # Stored format - Filename MD5HASH suidbit/sgidbit
> >
> > echo "";
> >
> > errormsg()
> > {
> >         echo "Incorrect parameters!";
> >         echo "Please use" $0 "create [hashfile] to create/update a table
> of
> > checksums or";
> >         echo $0 "check [hashfile] [current] to compare checksums.";
> >         echo "";
> >         exit
> > }
> >
> > if [ -z $1 ]; then
> >         errormsg;
> >
> > elif [ $1 = "create" ]; then
> >         if [ -z $2 ]; then
> >                 errormsg;
> >         fi
> >         echo "Creating table of sums...";
> >         find / -name '*' -perm +4000 -o -perm +2000 -type f | xargs md5sum
> |
> > awk '// {printf($2 " " $1 " "); system("ls -la " $2 " | cut -c 4,7")};' >
> > .tmp123;
> >         find ~ /bin /sbin /usr/sbin -maxdepth 1 -type f | xargs md5sum |
> awk
> > '// {printf($2 " " $1 " "); system("ls -la " $2 " | cut -c 4,7")};' >>
> > .tmp123;
> >         cat .tmp123 | sort | uniq > $2;
> >         rm .tmp123;
> >         chmod 600 $2;
> >         echo "";
> >         echo "Finished compiling list.";
> >         echo "Hashed a total of"`cat $2 | wc --lines` "files!";
> >
> > elif [ $1 = "check" ]; then
> >         if [ -z $2 ]; then
> >                 errormsg;
> >         fi
> >         echo "Building current settings..."
> >         find / -name '*' -perm +4000 -o -perm +2000 -type f | xargs md5sum
> |
> > awk '// {printf($2 " " $1 " "); system("ls -la " $2 " | cut -c 4,7")};' >
> > .tmp123;
> >         find ~ /bin /sbin /usr/sbin -maxdepth 1 -type f | xargs md5sum |
> awk
> > '// {printf($2 " " $1 " "); system("ls -la " $2 " | cut -c 4,7")};' >>
> > .tmp123;
> >         cat .tmp123 | sort | uniq > .tmpf;
> >         rm .tmp123;
> >         echo "Comparing settings..."
> >         echo "*-- Checksum report --*" > .errreport;
> >         if [ `cat .tmpf | wc -l` -ne `cat $2 | wc -l` ]; then
> >                 echo "Number of files do not match!" | tee --append
> > .errreport;
> >         fi
> >         if [ `cat .tmpf | awk '// {print $3}' | egrep "s|S" | wc -l` -ne
> > `cat $2 | awk '// {print $3}' | egrep "s|S" | wc -l` ]; then
> >                 echo "Number of suid/sgid files do not match!" | tee --a
> > .errreport;
> >         fi
> > #       temp=`diff .tmpf $2`;
> >         if (diff .tmpf $2 > /dev/null) then
> >                 echo "No differences found!";
> >                 rm .tmpf .errreport;
> >                 exit;
> >         fi;
> >         echo "Differences encountered! Outputting to stdout and mailing
> > user...";
> >         echo "" | tee -a .errreport;
> >         diff .tmpf $2 | tee -a .errreport;
> >         mail `whoami`@`hostname` < .errreport;
> >         rm .tmpf .errreport;
> >
> > elif [ -n $1 ]; then
> >         errormsg;
> > fi;
> > ----- Original Message -----
> > From: "David Xu" <davidx@viasoft.com.cn>
> > To: "Christopher Schulte" <christopher@schulte.org>
> > Cc: "Landon Stewart" <landons@uniserve.com>; <security@FreeBSD.ORG>
> > Sent: Wednesday, December 12, 2001 1:56 AM
> > Subject: Re: MD5 sum checking for installed binaries to check for
> intrusion
> > or root kits...
> >
> >
> > > Could we add  a 'sockstat -l' command to  /etc/security to check
> > > listening port,
> > >  this can prevent some backdoor from be installed.
> > > --
> > > David Xu
> > >
> > > Christopher Schulte wrote:
> > >
> > > > At 10:39 PM 12/11/2001 -0800, Landon Stewart wrote:
> > > >
> > > >> They could have done who knows what to whatever system(s) they wanted
> > > >> to.  Without someone saying "reformat the machines or reinstall"
> > > >> because thats the obvious answer, is there a way to check which files
> > > >> differ from the size they should be and have the correct MD5 sum than
> > > >> they should or is this asking too much?
> > > >
> > > >
> > > > With no point of reference on 'good state', there's not a lot that can
> > > > be done.  Your previous admins may have legitimately patched things,
> > > > installed non-standard binaries, or otherwise altered the system from
> > > > what you'd be able to use as a reference.
> > > >
> > > > Even if you could match md5sums, there's many other ways by which a
> > > > person could install a back door.  For example, something as simple as
> > > > an entry in inetd.conf which serves a root shell upon tcp port
> > > > connection would not show up in a binary-only md5 scan.
> > > >
> > > > Install tripwire (or some custom checksum monitoring system) from the
> > > > beginning of the OS install for best results.  I know, not too much
> > > > help now. :-(
> > > >
> > > > --
> > > > Christopher Schulte
> > > > christopher@schulte.org
> > > > http://noc.schulte.org/
> > > >
> > > >
> > > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > > with "unsubscribe freebsd-security" in the body of the message
> > > >
> > >
> > >
> > >
> > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > with "unsubscribe freebsd-security" in the body of the message
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
> >
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 


-- 
work: dga@lcs.mit.edu                          me:  dga@pobox.com
      MIT Laboratory for Computer Science           http://www.angio.net/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200112171948.fBHJmEc26259>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact