Re: MD5 sums of individual files?

[Josep Llauradó Selvas <josep.llaurado@activa-online.com>]

Another way to do this is to install the AIDE package, that performs an checksum
to certain files that you specify in the configuratio by the way tripwire do
it... It's so easy to install and send you an e-mail notifying the daily results
of the check. The database can be 'hard stored' into a floppy disk (with backup
copies, of course) write-protected or to a CD-ROM, that makes impossible to
alter the database with the checksums information.

I recomend it, 'cos it's easy to install and manage and don't require
mantainance...


On Wed, 28 Mar 2001, Ethan Benson wrote:

     On Wed, Mar 28, 2001 at 06:42:37PM -0800, William R. Ward wrote:
     > 
     > One way to test if you have been hacked is to run an MD5 checksum of
     > key binaries and look to see if it's been replaced by the intruder.
     > Is there any place where the MD5 sums of individual executable files
     > (not the .deb files, but the /usr/bin/xxxx files that come from them)
     > can be obtained?
     
     some/most(?) debian packages come with md5sum lists, they are in
     /var/lib/dpkg/info/packagname.md5sums.  the package debsums can verify
     them.  HOWEVER, since these md5sum lists are on the same disk as the
     binaries they cannot be trusted for security purposes, since it would
     be quite easy for an attacker to replace the md5sum lists with ones
     that match the trojaned binaries.  
     
     however if you have another debian box you are certain is not
     compromised you can use its md5sums.  but you must boot off a known
     clean boot disk and NOT root to the compromised disk, there could be
     kernel modules installed which will hide things.  
     
     -- 
     Ethan Benson
     http://www.alaska.net/~erbenson/