Date: Wed, 12 Dec 2001 14:56:10 +0800 From: David Xu <davidx@viasoft.com.cn> To: Christopher Schulte <christopher@schulte.org> Cc: Landon Stewart <landons@uniserve.com>, security@FreeBSD.ORG Subject: Re: MD5 sum checking for installed binaries to check for intrusion or root kits... Message-ID: <3C16FF8A.1050001@viasoft.com.cn> References: <5.1.0.14.0.20011212004626.03242638@pop.schulte.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Could we add a 'sockstat -l' command to /etc/security to check listening port, this can prevent some backdoor from be installed. -- David Xu Christopher Schulte wrote: > At 10:39 PM 12/11/2001 -0800, Landon Stewart wrote: > >> They could have done who knows what to whatever system(s) they wanted >> to. Without someone saying "reformat the machines or reinstall" >> because thats the obvious answer, is there a way to check which files >> differ from the size they should be and have the correct MD5 sum than >> they should or is this asking too much? > > > With no point of reference on 'good state', there's not a lot that can > be done. Your previous admins may have legitimately patched things, > installed non-standard binaries, or otherwise altered the system from > what you'd be able to use as a reference. > > Even if you could match md5sums, there's many other ways by which a > person could install a back door. For example, something as simple as > an entry in inetd.conf which serves a root shell upon tcp port > connection would not show up in a binary-only md5 scan. > > Install tripwire (or some custom checksum monitoring system) from the > beginning of the OS install for best results. I know, not too much > help now. :-( > > -- > Christopher Schulte > christopher@schulte.org > http://noc.schulte.org/ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3C16FF8A.1050001>