Date: Mon, 17 Dec 2001 08:25:54 -0500 From: "David Rhodus" <sdrhodus@sekurity.net> To: "David Xu" <davidx@viasoft.com.cn>, "Christopher Schulte" <christopher@schulte.org> Cc: "Landon Stewart" <landons@uniserve.com>, <security@FreeBSD.ORG> Subject: Re: MD5 sum checking for installed binaries to check for intrusion or root kits... Message-ID: <002a01c186fe$5af22b80$1506810a@asgidavid> References: <5.1.0.14.0.20011212004626.03242638@pop.schulte.org> <3C16FF8A.1050001@viasoft.com.cn>
next in thread | previous in thread | raw e-mail | index | archive | help
# Simple shell script for md5 # Stored format - Filename MD5HASH suidbit/sgidbit echo ""; errormsg() { echo "Incorrect parameters!"; echo "Please use" $0 "create [hashfile] to create/update a table of checksums or"; echo $0 "check [hashfile] [current] to compare checksums."; echo ""; exit } if [ -z $1 ]; then errormsg; elif [ $1 = "create" ]; then if [ -z $2 ]; then errormsg; fi echo "Creating table of sums..."; find / -name '*' -perm +4000 -o -perm +2000 -type f | xargs md5sum | awk '// {printf($2 " " $1 " "); system("ls -la " $2 " | cut -c 4,7")};' > .tmp123; find ~ /bin /sbin /usr/sbin -maxdepth 1 -type f | xargs md5sum | awk '// {printf($2 " " $1 " "); system("ls -la " $2 " | cut -c 4,7")};' >> .tmp123; cat .tmp123 | sort | uniq > $2; rm .tmp123; chmod 600 $2; echo ""; echo "Finished compiling list."; echo "Hashed a total of"`cat $2 | wc --lines` "files!"; elif [ $1 = "check" ]; then if [ -z $2 ]; then errormsg; fi echo "Building current settings..." find / -name '*' -perm +4000 -o -perm +2000 -type f | xargs md5sum | awk '// {printf($2 " " $1 " "); system("ls -la " $2 " | cut -c 4,7")};' > .tmp123; find ~ /bin /sbin /usr/sbin -maxdepth 1 -type f | xargs md5sum | awk '// {printf($2 " " $1 " "); system("ls -la " $2 " | cut -c 4,7")};' >> .tmp123; cat .tmp123 | sort | uniq > .tmpf; rm .tmp123; echo "Comparing settings..." echo "*-- Checksum report --*" > .errreport; if [ `cat .tmpf | wc -l` -ne `cat $2 | wc -l` ]; then echo "Number of files do not match!" | tee --append .errreport; fi if [ `cat .tmpf | awk '// {print $3}' | egrep "s|S" | wc -l` -ne `cat $2 | awk '// {print $3}' | egrep "s|S" | wc -l` ]; then echo "Number of suid/sgid files do not match!" | tee --a .errreport; fi # temp=`diff .tmpf $2`; if (diff .tmpf $2 > /dev/null) then echo "No differences found!"; rm .tmpf .errreport; exit; fi; echo "Differences encountered! Outputting to stdout and mailing user..."; echo "" | tee -a .errreport; diff .tmpf $2 | tee -a .errreport; mail `whoami`@`hostname` < .errreport; rm .tmpf .errreport; elif [ -n $1 ]; then errormsg; fi; ----- Original Message ----- From: "David Xu" <davidx@viasoft.com.cn> To: "Christopher Schulte" <christopher@schulte.org> Cc: "Landon Stewart" <landons@uniserve.com>; <security@FreeBSD.ORG> Sent: Wednesday, December 12, 2001 1:56 AM Subject: Re: MD5 sum checking for installed binaries to check for intrusion or root kits... > Could we add a 'sockstat -l' command to /etc/security to check > listening port, > this can prevent some backdoor from be installed. > -- > David Xu > > Christopher Schulte wrote: > > > At 10:39 PM 12/11/2001 -0800, Landon Stewart wrote: > > > >> They could have done who knows what to whatever system(s) they wanted > >> to. Without someone saying "reformat the machines or reinstall" > >> because thats the obvious answer, is there a way to check which files > >> differ from the size they should be and have the correct MD5 sum than > >> they should or is this asking too much? > > > > > > With no point of reference on 'good state', there's not a lot that can > > be done. Your previous admins may have legitimately patched things, > > installed non-standard binaries, or otherwise altered the system from > > what you'd be able to use as a reference. > > > > Even if you could match md5sums, there's many other ways by which a > > person could install a back door. For example, something as simple as > > an entry in inetd.conf which serves a root shell upon tcp port > > connection would not show up in a binary-only md5 scan. > > > > Install tripwire (or some custom checksum monitoring system) from the > > beginning of the OS install for best results. I know, not too much > > help now. :-( > > > > -- > > Christopher Schulte > > christopher@schulte.org > > http://noc.schulte.org/ > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002a01c186fe$5af22b80$1506810a>