cheksums or finding rootkits in SuSE
Hello suse-security, I would like to ask is there any tool (semi-automated preferable), to chek binaries md5(?)sums? Kind of basic shell script witch has original sum list of aaa_base binaries, and then goes for all of them and cheks for conforming? As for now i see only way -> download list from SuSE FTP server or copy from CD and then go to it manualy. However i feel like i`m not first person who has feeling like its time to look for an rootkit and think that there is an tool made to make lifes easyier... Surely there is nothing wrong with cheking one or two binaries, but i`m paranoind enough to chek all base binaries. Besides i have 3 SuSE distributions to check, so i will need at least 3 binaries lists I found "Linux rootkit detector" on sourceforge, however its still in beta, and looks for differences between ps() output and /proc table, not cheking binaries by them self. Any references (to sums list of 6.1, 6.3 and 7.1 or to rootkit realated topics) and sugestions would be very welcome :-) Thanks! -- Will you help us, Mulder? Best regards, Gediminas mailto:lists@kryptis.lt
* Gediminas Grigas;
Hello suse-security,
I would like to ask is there any tool (semi-automated preferable), to chek binaries md5(?)sums? Kind of basic shell script witch has original sum list of aaa_base binaries, and then goes for all of
Check Marc's page http://www.suse.de/~marc thre is an audit disk IIRC and secucheck (security check script) for routinely checking MD5's of the system HTH -- Togan Muftuoglu
Hi Gediminas, A secure check involving such a list as you mentioned should be easy to do using either a shellscript or tripwire. In either case you would, however, need to make the initial tripwire-databse or that md5-list for the script yourself in advance, and saving it to read-only storage. I get the impression for your mail that it's too late for that. SO the best you can do now, I suppose, is to run rpm as follows rpm -V aaa_base and you will get a list of all files of the aaa_base package that have been changed in some way. The flags on the left hand side show what kind of change has occured. A 5 in the third place denotes a change in md5-checksum. Read the manpage for the otehr flags. Please note that this will not work when the attacker has installed his rootkit in the form of a new aaa_base rpm, or has edited the rpm database to reflect the changes in md5-checksum, but it's probably better than nothing... Cheers, Yuri.
I would like to ask is there any tool (semi-automated preferable), to chek binaries md5(?)sums? Kind of basic shell script witch has original sum list of aaa_base binaries, and then goes for all of them and cheks for conforming? As for now i see only way -> download list from SuSE FTP server or copy from CD and then go to it manualy. However i feel like i`m not first person who has feeling like its time to look for an rootkit and think that there is an tool made to make lifes easyier... Surely there is nothing wrong with cheking one or two binaries, but i`m paranoind enough to chek all base binaries. Besides i have 3 SuSE distributions to check, so i will need at least 3 binaries lists
I found "Linux rootkit detector" on sourceforge, however its still in beta, and looks for differences between ps() output and /proc table, not cheking binaries by them self.
Any references (to sums list of 6.1, 6.3 and 7.1 or to rootkit realated topics) and sugestions would be very welcome :-) Thanks!
-- Will you help us, Mulder?
Best regards, Gediminas mailto:lists@kryptis.lt
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
I would like to ask is there any tool (semi-automated preferable), to chek binaries md5(?)sums? Kind of basic shell script witch has original sum list of aaa_base binaries, and then goes for all of them and cheks for conforming? As for now i see only way -> download list from SuSE FTP server or copy from CD and then go to it manualy. However i feel like i`m not first person who has feeling like its time to look for an rootkit and think that there is an tool made to make lifes easyier... Surely there is nothing wrong with cheking one or two binaries, but i`m paranoind enough to chek all base binaries. Besides i have 3 SuSE distributions to check, so i will need at least 3 binaries lists
I found "Linux rootkit detector" on sourceforge, however its still in beta, and looks for differences between ps() output and /proc table, not cheking binaries by them self.
Any references (to sums list of 6.1, 6.3 and 7.1 or to rootkit realated topics) and sugestions would be very welcome :-) Thanks!
There are several possibilities: An integrity checking tool, the rpm
system itself or a self-made shell script that runs md5sum. I used to do
it with the latter, but I removed it after a while because it did not
scale.
Using the rpm command, you can check if files have been changed relative
to what the rpm database knows. "rpm -Vv <packagename>" is the command,
or "rpm -Vva" for all packages. If you trust this information, then your
rpm command as well as the rpm databases must be assured wrt their
integrity. In other words, you should have a file containing the md5 sums
of these files to verify against before you trust the data. Alternatively
(what I do), store the files in an encrypted tar archive somewhere
else, or make gpg signatures of them.
tripwire is contained in all versions of the SuSE Linux distribution. We
will provide update packages soon for some minor problems, but this is the
choice if you really want to make the integrity checking thing truly
reasonable. Use "rpm -ql tripwire" to find out where the docs are.
Thanks,
Roman.
--
- -
| Roman Drahtmüller
On 18-Aug-01 Gediminas Grigas wrote:
Hello suse-security,
I would like to ask is there any tool (semi-automated preferable), to chek binaries md5(?)sums? Kind of basic shell script witch has original sum list of aaa_base binaries, and then goes for all of them and cheks for conforming? As for now i see only way -> download list from SuSE FTP server or copy from CD and then go to it manualy. However i feel like i`m not first person who has feeling like its time to look for an rootkit and think that there is an tool made to make lifes easyier... Surely there is nothing wrong with cheking one or two binaries, but i`m paranoind enough to chek all base binaries. Besides i have 3 SuSE distributions to check, so i will need at least 3 binaries lists
I found "Linux rootkit detector" on sourceforge, however its still in beta, and looks for differences between ps() output and /proc table, not cheking binaries by them self.
Problem here is that the actual capabilities of many root kits are unknown to most admins. Some "just" replace essential tools like ls, grep, ps, find, top, etc., some modify lastlog and other log entries, some show a trojan-like behaviour and open stealthy backdoors, and there are some who do all of it, namely modifications to your local rpm database and the /proc file system. Applying file integrity checkers like tripwire *after* taking a server into production surely is better than doing no integrity checking at all; unfortunately, some (many?) admins tend to implement them after something strange has happened, which they hope to detect that way. It's still possible though quite hard to do a file integrity check in this case, using a write-only "master" (like the SuSE CDs), but this is limited to originally installed RPM packages only; most config files and programs which have been compiled out of a tarball (.tar.gz) simply couldn't be verified correctly that way.
Any references (to sums list of 6.1, 6.3 and 7.1 or to rootkit realated topics) and sugestions would be very welcome :-) Thanks!
IMO, the Right Thing to do would be to: 1.) Implement tripwire *before* the system goes into production 2.) configure tripwire to check *relevant* files, not e. g. backups of logfiles or app pid-files to avoid a bloated tw report which may get annoying 3.) create a write-only backup of all essential config files and binaries 4.) periodically check your system using chkrootkit from http://www.chkrootkit.org . This tool detects about 20 common and not-so-common rootkits and monitors the integrity of dozens of important binutils.
-- Will you help us, Mulder?
Yeah, Scully. The answer is out there. Out there...! ;)
Best regards, Gediminas mailto:lists@kryptis.lt
---
Boris Lorenz
Yuppa, On 18-Aug-01 Gediminas Grigas wrote:
Hello suse-security,
I would like to ask is there any tool (semi-automated preferable), to chek binaries md5(?)sums? Kind of basic shell script witch has original sum list of aaa_base binaries, and then goes for all of them and cheks for conforming? [...]
securityfocus.com has put up the third part of its series devoted to the examination of hacker tools. This time it's about rootkits, perhaps you take a look at it for more information: http://www.securityfocus.com/focus/ids/articles/rootkit.html
Best regards, Gediminas mailto:lists@kryptis.lt
---
Boris Lorenz
participants (5)
-
Boris Lorenz
-
Gediminas Grigas
-
Roman Drahtmueller
-
Togan Muftuoglu
-
Yuri Robbers