Date: Fri, 7 Aug 1998 21:37:47 -0400 From: Keith Stevenson <k.stevenson@louisville.edu> To: Brett Glass <brett@lariat.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Does this mean we have another breakin? Message-ID: <19980807213747.A1702@homer.louisville.edu> In-Reply-To: <199808072337.RAA13808@lariat.lariat.org>; from Brett Glass on Fri, Aug 07, 1998 at 03:17:43PM -0600 References: <o1zqteasq.fsf@mew.gol.com> <199808051643.KAA04281@lariat.lariat.org> <19980805234700.A23220@keltia.freenix.fr> <o90l2bshu.fsf@mew.gol.com> <19980806131045.A28059@keltia.freenix.fr> <o1zqteasq.fsf@mew.gol.com> <19980807122035.A4145@keltia.freenix.fr> <199808072337.RAA13808@lariat.lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Aug 07, 1998 at 03:17:43PM -0600, Brett Glass wrote: > We have set up Tripwire, and are getting "Alarums and Excursions" (with > apologies to old Will Shakespeare) from changed "last modification" dates > on executables. > Are the file checksums changing? If not, then the binary probably is safe. The Ports version of tripwire does a MD5 hash on the contents of /bin /lkm /sbin /stand /usr/bin /usr/lib /usr/libdata /usr/libexec /usr/local/bin /usr/local/lib /usr/local/libexec /usr/local/sbin /usr/local/share /usr/sbin and /usr/share . (At least I _think_ this is what it does based upon my reading of the default tw.config file installed by the port. MD5 is a pretty good checksum. It is highly unlikely that someone could alter a binary in such a way to maintain the file size and MD5 checksum. If you are truly paranoid, remove the "-2" from the end of the "ignore list". (See the documentation at the top of the tw.conf file.) This will enable a second cryptographic checksum at a significant performance penalty. It is _extremely unlikely_ that a trojan'd binary could pass both checksum tests. Regards, --Keith Stevenson-- -- Keith Stevenson System Programmer - Data Center Services - University of Louisville k.stevenson@louisville.edu PGP key fingerprint = 4B 29 A8 95 A8 82 EA A2 29 CE 68 DE FC EE B6 A0 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980807213747.A1702>