alternative Re: Is my system compromised
hi ya
for fun ... and i'm sure this is nothing new to the
those with the security paranoid disease ( or sleepease )
for those that want to try to figure out what files
was compromized on your machines... after the fact ..
but, if you can do BEFORE you go live, ( ie .. just after
you install ) and if you already are online, you can still
start a new habit after the fact
one dumb trick to do, regardless of what one does
to secure your boxes...
for f in `find /etc -type f -print `
do
echo "mdsum $f"
eval "md5sum $f"
done
and for silly ascii file you can read/understand
find /etc -type f -ls
and put the resulting data onto a cdrom ( not a rw media )
- i'll leave the screen capture of the data to
you to figure out ( 5 second problem to solve )
- i'll leave the burning of the cd to another day
and pick the "data" that you care about or the entire machine
--------
when you suspect a compromized box...
check the binaries in a few seconds with diff and md5sum
including all the libs and diff and md5sum binary itself
it takes a couple seconds to verify libs and binaries
if you don't have a cdrom of the important files predating the
suspect compromize, you can check the suspect box against
a brand new box that you jsut built and still compare
which is 100x faster than reinstalls
-------
- none of this requires you to wipe out data that may or
may not be recoverable, that the manager's of the corp
does not want destroyed or a disk to be reformatted
because the it folks can't guarantee any working backups
- get a brand $20 or $100 new disk and install onto
it if you have to, but leave the suspect disk alone ..
for hundreds of reasons including prosecuting the
crackers
- never wipe out previous data ( disks ) if you cannot
100% guarantee that you can recover important data
esp on somebody else's corp systems
- if you like to apt-get daily, weekly.. you might want
to do an md5sum periodically too, to keep track of
the system
- add the md5sum checking to cron if all that is too much work
to do manually and everything is automated except for sticking
in a cdrom whenver you expect to save the md5sum
-------
checking for which files is compromized or not is fairly
trivial and can be 100% automated
- the resulting differences is probably stuff
you did and didnt save the new md5sum or it is
what the cracker did
------
the assumption is that the crackers doesn't have the
skills to fake md5sum for arbitrary files
and if they do, you're needing expensive security expert
help anyway to defend your boxes against them
fun stuff
c ya
alvin
Reply to: