Re: MD5 Check (was Re: i am hacked atm.. what's better thing to do?)
On Mon, 6 Nov 2000, Chewie wrote:
> Here's a little known trick for a very minimalistic intrusion
> detection hack. Debian installs a file called <package>.md5sums in
> the directory /var/lib/dpkg/info/. If you move yourself to the root
> parition:
>
> bash$ cd /
>
> And run md5sum -c on the package files.
>
> bash$ for i in /var/lib/dpkg/info/*.md5sums ; do \
> > md5sum -c $i ; done &> /tmp/check.out
>
> You can pipe the output to an email to see if any of your installed
> programs have been tampered with. Tie it in with cron, and you've one
> more tool to use...
>
> ## Crontab entry for your user...
>
> 00 03 * * * cd /; for i in /var/lib/dpkg/info/*.md5sums ; do \
> md5sum -c $i ; done
>
> Of course, this is no where near the same usefulness that running
> tripwire or aide might give you. If neither of these are installed,
> this "trick" may add a little more info to your clue box.
A nice little trick, and something I was playing around with on some
SGIs I manage. Not foolproof, though. They just have to install a
trojan md5sum or update your md5sum database. But it is certainly a
nice start, as no script kiddie will think to check your crontab for
stuff like that!
Damian Menscher
--
--==## Grad. student & Sys. Admin. @ U. Illinois at Urbana-Champaign ##==--
--==## <menscher@uiuc.edu> www.uiuc.edu/~menscher/ Ofc:(217)333-0038 ##==--
--==## Physics Dept, 1110 W Green, Urbana IL 61801 Fax:(217)333-9819 ##==--
Reply to: