Another potential home for this script is tiger, which also currently has an MD5-only checker: An infected system will also alter the md5sum utility so that it will return the md5 of the pristine file instead of the altered one which is actually on disk (I have already seen that). Concerning your program I have seen that it uses /var/lib/dpkg/info/$2.md5sums. This is inherently unsafe because an attacker can simply alter this file alongside with all the other altered file. Anyone knows about this file and if I logged in via ssh an did some manual cracking then I also replaced the md5-s in that file with sed -i. Nonetheless manual sha512-lists are generally more secure than
tools just checking files in the packages like debcheckroot
because they also record files that are not in the installation
database as well as files auto-generated/altered on installation
by installation scripts. You can create such an sha512-list after
securely offline-installing and put it on an sdcard which you take
always with you. I like sdcards because they have a read only
switch and are very small and flat so that you can easily take
them with you. Read only switches are a security feature because
you can read the content without the fear that it may be altered.
Of course you can not easily install new packages then. That
requires you checking all the sha512s via a clean boot medium.
After that you can boot into the system, install new packages and
update the sha512s. I also take the boot media with me where the
dvd images reside on sdcards bootable via USB-sdcard adapter. The
read-only switch makes it as safe as a read only burnt dvd. Concerning debcheckroot I had planned to make it support mounting different install-dvds/bds. At the moment it only works with a singleton install blue ray. Installing from blue ray or dvd is an additional security measure you can take to spot malware. I would not have been able to spot the rootkit I had talked about in my last mail in Brasileia, Brazil (Cobija, Bolivia) if I had decided to install online updates because then fetching the updated packages for the tool (debcheckroot supports this) would have been much more complicated. Downloads can and often are impersonated if you do not use tor so that you will be shipped the malwared-packages for comparence instead of the original ones. So always use tor with debcheckroot if you do not have all the packages available offline. To come back to the rootkit spotted in South America I had the fortune to spot it only because I could compare all files 1:1 which was only possible because I did not need online repositories to install the clean image of the distro. Here is again the reference for debcheckroot: |