Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
well, the command needs to run on many customer servers, and the sysadmin folks have to do the work, and, rather not have the sysadmins creating executable script on the customer systems. hosted environment, etc.
i was wanting to just have sysadmin copy/paste command into ssh window and then give me the output of $? for the system.
the command has to be reniced to +19 (customer request)
so basically its this:
1. md5 all ELF files on the system (hence sudo)
2. grep for matching MD5
3. get exit status of grep $? (if it finds a match exit will = 0)
4. this whole thing has to be reniced to +19
5, a command that is copy/paste for sysadmin is best, w/o the use of creating a script file on the system
is this correct awk -F':' '/ELF/ {print $1}"
Last edited by Linux_Kidd; 11-15-2012 at 10:19 AM.
well, the command needs to run on many customer servers, and the sysadmin folks have to do the work, and, rather not have the sysadmins creating executable script on the customer systems. hosted environment, etc.
At LQ we like to think along to check proper use, point out blind spots or pitfalls, suggest improvements or alternatives, all in an attempt to make tasks easier and qualitatively better. That's one of the reasons why presenting the full picture in your OP (original post) always is a Good Thing.
Quote:
Originally Posted by Linux_Kidd
is this correct awk -F':' '/ELF/ {print $1}"
No it is
Code:
awk -F':' '/ELF/ {print $1}'
The real problem however isn't even in who, where or how your commands will be executed (not that you've motivated why responsible personnel can run commands but aren't allowed to save a script to say /dev/shm and run it anyway) but what and how you are searching for (and I think I've got a pretty good idea):
- if the binaries have been changed involuntarily (prelinking?),
- if I change the ELF comment section (objcopy) or recompile it,
- if I obfuscate the ELF header (see Samhain source for an example), use a packer or encryption,
- if I piggyback the ELF onto another binary,
- if the binaries reside inside a compressed archive or
- if I place versions for a different arch or upload the source tarball (no use but still considered a hostile act)
your check will return a clean result and then you won't have catched anything.
And with only three hashes chances are you miss other foreign objects.
Please rethink if what you intend to do is done in the most efficient way.
Last edited by unSpawn; 11-15-2012 at 11:18 AM.
Reason: //NN
i am looking specifically for the presence of three MD5 hashes of infection files found on another system. that is what i was tasked to do. the semantics behind the what-if's and pitfalls are not in scope. i am not conducting a forensic investigation on other systems looking in hidden areas to find these files.
i was trying to keep the sysadmin task as simple as possible to avoid human error as they manage lots of systems for lots of customers (thousands of systems for hundreds of customers), etc.
as for my OP, it does the task i need on rhel (not sure why it failed on centOS6 yet), i was just wanting to know how to background that, and thus far i have a "write script" for it.
i can go the script route, but whats the best way to renice it, just "renice 19 $$" at the top of the script, or perhaps just "sudo nice 19 ~/tmp/script.sh &", how would you do it?
thanks.
Last edited by Linux_Kidd; 11-15-2012 at 03:37 PM.
i can go the script route, but whats the best way to renice it, just "renice 19 $$" at the top of the script, or perhaps just "sudo nice 19 ~/tmp/script.sh &", how would you do it?
I'd use the first.
Quote:
Originally Posted by Linux_Kidd
and for some odd reason, my CentOS6 doesnt have the 'file' command
If the system doesn't have 'file' we could check for 'strings' or 'od' or whatever else or you could use something like:
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.