find out binary file tampering
Hello,
I have a box that i recently leased. I hardened it pretty good but I'm worried that i may have missed something buried in somewhere. i run checkrootkit, tiger and found nothing. My question is 1-how can i find md5 of debian-6 binaries such for following files: /etc/passwd /bin/netstat /bin/ls /bin/login /bin/cat /bin/ps /usr/bin/last /usr/bin/apt-get 2- other than finding md5sum of those files and comparing; is there other methods of finding out if they're tempered with? 3 - I run the following to find setgid and got following(I know most of them are normal but just want get 2nd opinion on the ones i don't know i put * next to it) find / -user root -perm -4000 -print /bin/mount /bin/su /bin/umount /bin/ping /bin/ping6 /usr/bin/sudoedit /usr/bin/gpasswd * /usr/bin/newgrp * /usr/bin/chfn * /usr/bin/sudo /usr/bin/passwd /usr/bin/chsh * /usr/sbin/exim4 * /usr/lib/pt_chown * /usr/lib/openssh/ssh-keysign Thank you all |
To verify the binary files on a Debian system, use the debsums command: http://www.digipedia.pl/man/doc/view/debsums.1/
Personally, I am suspicious about a particular binary, I will download the package from the repository and verify it manually against the one installed in my system as the date, time, and md5 sum should all match. WRT the suid files, on my system: usr/bin/gpasswd, /usr/bin/newgrp, /usr/bin/chfn,/usr/bin/chsh, and pt_chown are all root owned, setuid. I don't have exim. Quote:
|
Noway2 has some great advice and I am too am curious why you think your system is compromised? In the future (depending on your environment) you may want to look in to something like AIDE (Advanced Intrusion Detection environment). Its very configurable (and trust me it takes some time to configure) and its basically like tripwire only free. This way you can keep an eye on files and be alerted to their changing.
|
Thank you Noway for that tool(i didn't know it).
What i mean by hardening is : after leasing the box, i have went through checklist of items to harden it and checking binary integrity was at end of that list. Right now, it only accepts ssh-key login from specific IP among other things. Let me know what you meant by analysis(i have run tiger and checkroot and they found nothing). |
Here in LQ-Security, we typically base our investigation and analysis on the CERT Intruder Detection Checklist (see the security references sticky in this forum). In a nutshell, the process involves looking for signs of a compromised system including verifying binaries, looking for cron entries, looking for processes that shouldn't be running, looking for hidden files and folders, especially ones with setuid, and examining the logs for signs of malicious activity.
|
Just wanted to echo that a Host-Intrusion-Detection-System == HIDS can automate the comparision of checksums.
Most HIDS will create a database of known good checksums and will recheck them from time to time. |
Quote:
I, personally, would recommend using Aide and setting up a cron task to perform a daily scan and email a report. Most systems will see changes as the log files roll over, but the core system should remain unchanged. While some may argue that daily is too much noise or too much effort, I find it only takes about 30 seconds to scan the daily email for unanticipated changes. |
All times are GMT -5. The time now is 08:42 AM. |