alternative Re: Is my system compromised

To: debian-user@lists.debian.org
Subject: alternative Re: Is my system compromised
From: Alvin Oga <aoga@mail.Linux-Consulting.com>
Date: Mon, 6 Feb 2006 03:18:24 -0800 (PST)
Message-id: <[🔎] Pine.LNX.3.96.1060206025419.27920A-100000@Maggie.Linux-Consulting.com>
In-reply-to: <[🔎] 2925.216.190.168.10.1139153515.squirrel@www.dmiyu.org>

hi ya

for fun ... and i'm sure this is nothing new to the 
those with the security paranoid disease ( or sleepease )

for those that want to try to figure out what files
was compromized on your machines... after the fact ..

but, if you can do BEFORE you go live, ( ie .. just after 
you install ) and if you already are online, you can still 
start a new habit after the fact

one dumb trick to do, regardless of what one does
to secure your boxes...


for f in `find /etc -type f -print `
do
  echo "mdsum $f"
  eval "md5sum $f"
done

and for silly ascii file you can read/understand

	find /etc -type f -ls 

and put the resulting data onto a cdrom ( not a rw media )
	- i'll leave the screen capture of the data to
	you to figure out ( 5 second problem to solve )

	- i'll leave the burning of the cd to another day

and pick the "data" that you care about or the entire machine

--------

when you suspect a compromized box...

	check the binaries in a few seconds with diff and md5sum
	including all the libs and diff and md5sum binary itself

	it takes a couple seconds to verify libs and binaries

if you don't have a cdrom of the important files predating the
suspect compromize, you can check the suspect box against
a brand new box that you jsut built and still compare
which is 100x faster than reinstalls 

-------

- none of this requires you to wipe out data that may or
  may not be recoverable, that the manager's of the corp
  does not want destroyed or a disk to be reformatted
  because the it folks can't guarantee any working backups

	- get a brand $20 or $100 new disk and install onto
	it if you have to, but leave the suspect disk alone .. 
	for hundreds of reasons including prosecuting the
	crackers

	- never wipe out previous data ( disks ) if you cannot
	100% guarantee that you can recover important data 
	esp on somebody else's corp systems

- if you like to apt-get daily, weekly.. you might want
  to do an md5sum periodically too, to keep track of
  the system

- add the md5sum checking to cron if all that is too much work
  to do manually and everything is automated except for sticking
  in a cdrom whenver you expect to save the md5sum

-------

checking for which files is compromized or not is fairly
trivial and can be 100% automated 

	- the resulting differences is probably stuff
	you did and didnt save the new md5sum or it is
	what the cracker did

------

the assumption is that the crackers doesn't have the
skills to fake md5sum for arbitrary files
and if they do, you're needing expensive security expert 
help anyway to defend your boxes against them

fun stuff 
c ya
alvin

Reply to:

Follow-Ups:
- Re: alternative Re: Is my system compromised
  - From: Johannes Wiedersich <johannes@physik.blm.tu-muenchen.de>

References:
- Re: Re: Is my system compromised
  - From: grey@dmiyu.org

Prev by Date: Re: vi trying to connect to X
Next by Date: Re: High availability interner connection
Previous by thread: Re: fud - Re: Is my system compromised
Next by thread: Re: alternative Re: Is my system compromised
Index(es):
- Date
- Thread