Date: Wed, 18 Aug 2004 17:54:00 +0300 From: Giorgos Keramidas <keramida@linux.gr> To: "Thordur Ivar B." <thib@mi.is> Cc: freebsd-security@freebsd.org Subject: Re: chfn, date, chsh INFECTED according to chkrootkit Message-ID: <20040818145400.GF7263@orion.daedalusnetworks.priv> In-Reply-To: <20040818142511.390043af.thib@mi.is> References: <20040818121102.95460.qmail@web52402.mail.yahoo.com> <20040818142511.390043af.thib@mi.is>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2004-08-18 14:25, "Thordur Ivar B." <thib@mi.is> wrote:
> But still, you can only be sure if you trust you CVS checkout.
> I have found it rather annyoing not have'ing checksums of each and
> every file in /usr/src. And having a "secure" (man-in-the-middle
> attack, etc comes in mind) way of optaining the checksum file.( A good
> shell script could verify the checkout and you could sleep easy ;)
>
> Do correct me about the checksums if I'm wrong.
Would something like this work for you?
# mount /mnt/floppy
# mtree -c -K cksum,flags -p . | \
bzip2 -9c - > /mnt/floppy/src.dist.bz2
# umount /mnt/floppy
Then you can mount the floppy disk and check the /usr/src tree against
the checksums saved by mtree with:
# mount /mnt/floppy
# bunzip2 -cd /mnt/floppy/src.dist.bz2 | \
mtree -u -f -
# umount /mnt/floppy
Any differences of the files since your last CVSup should be easy to
catch with this little trick. I've just tested this on my -CURRENT
installation and the bzip2'd spec file generated by the first mtree
invocation is a little less than 600 KB for /usr/src. It fits nicely
in a single floppy disk :-)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040818145400.GF7263>