On Wed, Mar 28, 2001 at 06:42:37PM -0800, William R. Ward wrote:
One way to test if you have been hacked is to run an MD5 checksum of
key binaries and look to see if it's been replaced by the intruder.
Is there any place where the MD5 sums of individual executable files
(not the .deb files, but the /usr/bin/xxxx files that come from them)
can be obtained?
some/most(?) debian packages come with md5sum lists, they are in
/var/lib/dpkg/info/packagname.md5sums. the package debsums can verify
them. HOWEVER, since these md5sum lists are on the same disk as the
binaries they cannot be trusted for security purposes, since it would
be quite easy for an attacker to replace the md5sum lists with ones
that match the trojaned binaries.
however if you have another debian box you are certain is not
compromised you can use its md5sums. but you must boot off a known
clean boot disk and NOT root to the compromised disk, there could be
kernel modules installed which will hide things.