Date: Wed, 12 Dec 2001 00:55:56 -0600 From: Christopher Schulte <christopher@schulte.org> To: Landon Stewart <landons@uniserve.com>, security@FreeBSD.ORG Subject: Re: MD5 sum checking for installed binaries to check for intrusion or root kits... Message-ID: <5.1.0.14.0.20011212004626.03242638@pop.schulte.org> In-Reply-To: <3C16FB8C.9020908@uniserve.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 10:39 PM 12/11/2001 -0800, Landon Stewart wrote: >They could have done who knows what to whatever system(s) they wanted >to. Without someone saying "reformat the machines or reinstall" because >thats the obvious answer, is there a way to check which files differ from >the size they should be and have the correct MD5 sum than they should or >is this asking too much? With no point of reference on 'good state', there's not a lot that can be done. Your previous admins may have legitimately patched things, installed non-standard binaries, or otherwise altered the system from what you'd be able to use as a reference. Even if you could match md5sums, there's many other ways by which a person could install a back door. For example, something as simple as an entry in inetd.conf which serves a root shell upon tcp port connection would not show up in a binary-only md5 scan. Install tripwire (or some custom checksum monitoring system) from the beginning of the OS install for best results. I know, not too much help now. :-( -- Christopher Schulte christopher@schulte.org http://noc.schulte.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20011212004626.03242638>