View previous topic :: View next topic |
Author |
Message |
xchris Advocate
Joined: 10 Jul 2003 Posts: 2824
|
Posted: Tue Dec 14, 2004 4:50 pm Post subject: [TOOL] - Md5check - Poor Tripwire - Etc watcher |
|
|
Code: |
wget http://www.xchris.net/download.php?file=files/md5check.tar.gz -O md5check.tar.gz
|
http://www.xchris.net/download.php?file=files/md5check.tar.gz
Did you know that portage has a builtin md5 entry for every file installed by portage?
So...we can realize:
- a poor man tripwire (but effortless)
- a general way for file change or miss check
That's what md5check is!
An example:
Let's see which file of shorewall firewall i changed and maybe i want to save
Code: |
root@lyra md5check # ./md5check shorewall
* net-firewall/shorewall-2.0.7
-Changed- /etc/shorewall/masq
--NOT FOUND /etc/shorewall/zones
-Changed- /etc/shorewall/shorewall.conf
-Changed- /etc/shorewall/policy
-Changed- /etc/shorewall/interfaces
-Changed- /etc/shorewall/rules
|
so i also discovered i miss one file (moved before )
you could also specifcy a pattern to match after package (if you wanna check only a directory)
type md5check -h for simple help.
Bye _________________ while True:Gentoo()
Last edited by xchris on Sat Feb 26, 2005 10:24 am; edited 2 times in total |
|
Back to top |
|
|
blue.sca l33t
Joined: 28 Aug 2003 Posts: 680 Location: Mainz, Germany
|
Posted: Tue Dec 14, 2004 5:29 pm Post subject: |
|
|
cool, could be handy sometimes... _________________ geek by nature, linux by choice
i want my avatar back... thank you
:wq |
|
Back to top |
|
|
FonderiaDigitale Veteran
Joined: 06 Nov 2003 Posts: 1710 Location: Rome, Italy
|
Posted: Wed Dec 15, 2004 12:40 am Post subject: |
|
|
[LINGUISTA]poors' tripwire[/LINGUISTA] _________________ Come disse un amico, i sistemisti sono un po' come gli artigiani per l'informatica
|
|
Back to top |
|
|
xbmodder Guru
Joined: 25 Feb 2004 Posts: 404
|
Posted: Wed Dec 15, 2004 2:54 am Post subject: |
|
|
is this a backdoor? |
|
Back to top |
|
|
xchris Advocate
Joined: 10 Jul 2003 Posts: 2824
|
Posted: Wed Dec 15, 2004 6:05 am Post subject: |
|
|
to be honest ...dear friend FonderiaDigitale.. it's "poor man.."
a backdoor? Noooooo
Look at the code _________________ while True:Gentoo() |
|
Back to top |
|
|
revertex l33t
Joined: 23 Apr 2003 Posts: 806
|
Posted: Thu Dec 16, 2004 3:26 pm Post subject: |
|
|
Code: | #md5check
Md5Check 0.1_pre1 - Tool for portage md5 checks
!!! You Must supply at least package name
Type md5clean -h for help screen |
Code: | # md5clean -h
bash: md5clean: command not found |
|
|
Back to top |
|
|
xchris Advocate
Joined: 10 Jul 2003 Posts: 2824
|
Posted: Thu Dec 16, 2004 3:48 pm Post subject: |
|
|
ooooops
md5check -h
I'll fix it...Thank You!
EDIT:uploaded! same position.. _________________ while True:Gentoo() |
|
Back to top |
|
|
revertex l33t
Joined: 23 Apr 2003 Posts: 806
|
Posted: Sun Dec 19, 2004 3:54 pm Post subject: |
|
|
thank's, great tool, nice colors, thumb's up! |
|
Back to top |
|
|
revertex l33t
Joined: 23 Apr 2003 Posts: 806
|
Posted: Mon Dec 20, 2004 1:20 pm Post subject: |
|
|
xchris,
jus a little question, suppose i've got "foo-v1.0" installed, then i sync portage and it show a new foo version v1.1, will md5check check the sig against the installed version (foo-v1.0) or against the latest version found in portage (foo-v1.1) ? |
|
Back to top |
|
|
xchris Advocate
Joined: 10 Jul 2003 Posts: 2824
|
Posted: Mon Dec 20, 2004 1:23 pm Post subject: |
|
|
it will always look for installed packages as we do not know md5 digest for uninstalled packages. (portage calculates it and then write it down in CONTENT file in /var/db/pkg)
bye _________________ while True:Gentoo() |
|
Back to top |
|
|
revertex l33t
Joined: 23 Apr 2003 Posts: 806
|
Posted: Tue Dec 28, 2004 2:00 pm Post subject: |
|
|
any way to md5check work like fcheck? |
|
Back to top |
|
|
xchris Advocate
Joined: 10 Jul 2003 Posts: 2824
|
Posted: Wed Jan 26, 2005 9:40 am Post subject: |
|
|
revertex wrote: | any way to md5check work like fcheck? |
sorry... imissed your post.
What do you mean?
bye _________________ while True:Gentoo() |
|
Back to top |
|
|
Gherald Veteran
Joined: 23 Aug 2004 Posts: 1399 Location: CLUAConsole
|
Posted: Mon Apr 04, 2005 10:40 am Post subject: |
|
|
Wow, I didn't realize portage kept track of MD5s for every installed file...
There should be an etc-update (or dispatch-conf, or whatever) that uses this information to auto-merge config files in /etc that haven't changed since the package was last installed.
EDIT: Scratching my own itch... |
|
Back to top |
|
|
mauricev Apprentice
Joined: 22 Mar 2004 Posts: 202
|
Posted: Tue Apr 05, 2005 10:29 pm Post subject: |
|
|
When I try it on "sudo", I get
Code: |
maurice@thewarehouse4 ~/md5check $ ./md5check sudo-1.6.7_p5-r2
* app-admin/sudo-1.6.7_p5-r2
--NOT FOUND /usr/bin/sudo
--NOT FOUND /etc/sudoers
--NOT FOUND /usr/sbin/visudo
|
But when I looked manually, I found them:
Code: |
maurice@thewarehouse4 /var/db/pkg/app-admin/sudo-1.6.7_p5-r2 $ more CONT*
...
obj /usr/bin/sudo a0d7d6f9d78c955532c96c32f64c409e 1104042368
...
obj /usr/sbin/visudo 70952bbc9fa36ff63da9692f08f50da1 1104042368
...
obj /etc/sudoers 541d349d91e9c84bec654e53b02f62de 1104042368
|
So it appears to be falsely reporting they are missing their md5sums.
By the way, this is fcheck: http://www.geocities.com/fcheck2000/fcheck.html |
|
Back to top |
|
|
xchris Advocate
Joined: 10 Jul 2003 Posts: 2824
|
Posted: Tue Apr 05, 2005 10:37 pm Post subject: |
|
|
mauricev wrote: |
But when I looked manually, I found them:
[cut ..]
So it appears to be falsely reporting they are missing their md5sums.
|
It means you miss those files.
Try:
Code: |
ls -l /usr/bin/sudo
ls -l /etc/sudoers
ls -l /usr/sbin/visudo
|
let me know if it'a a md5 check problem.
thank you for fcheck _________________ while True:Gentoo() |
|
Back to top |
|
|
mauricev Apprentice
Joined: 22 Mar 2004 Posts: 202
|
Posted: Tue Apr 05, 2005 11:20 pm Post subject: |
|
|
I am actually using "sudo" to display the md5sums of those files
Code: |
maurice@thewarehouse4 ~ $ sudo md5sum /usr/bin/sudo /etc/sudoers /usr/sbin/visudo
a0d7d6f9d78c955532c96c32f64c409e /usr/bin/sudo
35c3c076fdbe8f4aaf66cb4ed15d2619 /etc/sudoers
70952bbc9fa36ff63da9692f08f50da1 /usr/sbin/visudo
|
The sums match except for the sudoers file, which should be different because it's the config file.
So what could be going on? |
|
Back to top |
|
|
mauricev Apprentice
Joined: 22 Mar 2004 Posts: 202
|
Posted: Tue Apr 05, 2005 11:41 pm Post subject: |
|
|
My bad.
I ran md5check without sudo. It doesn't have permission to operate on those files unless it's root.
Anyway, it's neat program. But how do I use it? That is, if it always reports
Code: |
-Changed- /etc/sudoers
|
how will that tell me anything? |
|
Back to top |
|
|
Gherald Veteran
Joined: 23 Aug 2004 Posts: 1399 Location: CLUAConsole
|
Posted: Wed Apr 06, 2005 12:12 am Post subject: |
|
|
mauricev wrote: | But how do I use it? That is, if it always reports: Code: | -Changed- /etc/sudoers |
how will that tell me anything? |
It tells you whether any files installed by a package have changed. That is md5check's purpose.
My md5-update script uses the same information to integrate with etc-update and determine if a config file that needs updating has not changed since it was originally installed. If the config wasn't altered since it was last installed, md5-update offers to replace it with the "._cfg????_*" update on the spot thus allowing etc-update to only deal with files that have changed e.g. /etc/sudoers in your case. |
|
Back to top |
|
|
ziererk n00b
Joined: 26 Mar 2004 Posts: 32 Location: Germany
|
Posted: Wed Jul 13, 2005 9:17 pm Post subject: Greatly thanks for your tool! |
|
|
My system got compromised and I didn't run any tool like tripwire. With your tool I can find out with packages I have to reemerge, to get a clean system again. Thanks!
Klaus |
|
Back to top |
|
|
mauricev Apprentice
Joined: 22 Mar 2004 Posts: 202
|
Posted: Wed Jul 13, 2005 10:10 pm Post subject: |
|
|
Quote: | My system got compromised and I didn't run any tool like tripwire. With your tool I can find out with packages I have to reemerge, to get a clean system again |
Once a system is compromised, it seems reasonable to assume everything has been compromised, and you should reinstall from a known clean backup. |
|
Back to top |
|
|
ziererk n00b
Joined: 26 Mar 2004 Posts: 32 Location: Germany
|
Posted: Wed Jul 13, 2005 10:19 pm Post subject: |
|
|
Quote: | Once a system is compromised, it seems reasonable to assume everything has been compromised, and you should reinstall from a known clean backup. |
I waited for such an answer.
1. Be not paranoid. Who guarantees me, that the Gentoo-Servers are not compromised? And even then... remember the hack in the tcpdump source
2. This is a production server. I cannot reinstall just for fun where 100 domains with email, some other server daemons etc. are running
3. I don't have the time it
4. I have limited backup space, so I just backup the data, not the system
Klaus |
|
Back to top |
|
|
mauricev Apprentice
Joined: 22 Mar 2004 Posts: 202
|
Posted: Wed Jul 13, 2005 11:05 pm Post subject: |
|
|
Quote: | 2. This is a production server. I cannot reinstall just for fun where 100 domains with email, some other server daemons etc. are running |
(If it were me, I would format the drives, reinstall the OS fresh and restore the data from backup. That means serious downtime, but what if it turns out something got left behind, a sinister trojan, which sends cc email for outgoing email randomly to other outgoing addresses? I'm not a lawyer, but I wonder if you could have legal liability if those domains are paying customers.)
Quote: | 4. I have limited backup space, so I just backup the data, not the system |
Isn't the system a relatively small fixed size? You might want to consider doing a stage4 backup, https://forums.gentoo.org/viewtopic-t-146750-highlight-stage4.html |
|
Back to top |
|
|
xchris Advocate
Joined: 10 Jul 2003 Posts: 2824
|
Posted: Thu Jul 14, 2005 7:44 am Post subject: |
|
|
@mauricev: your solution is not alway appliable... (downtimes)
@ziererk: glad to hear you found md5check usefull. Less glad to know you had to use it.. :S _________________ while True:Gentoo() |
|
Back to top |
|
|
ziererk n00b
Joined: 26 Mar 2004 Posts: 32 Location: Germany
|
Posted: Thu Jul 14, 2005 5:25 pm Post subject: |
|
|
Quote: | (If it were me, I would format the drives, reinstall the OS fresh and restore the data from backup. That means serious downtime, but what if it turns out something got left behind, a sinister trojan, which sends cc email for outgoing email randomly to other outgoing addresses? I'm not a lawyer, but I wonder if you could have legal liability if those domains are paying customers.) |
If there is something left behind, how get it activated? All bootscripts and profile-scripts were checked and/or replaced. After searching with chkrootkit and rkhunter, I searched in every directory by hand. The recovery took me nearly 2 complete days, and I think, its nearly impossible that anything bad survived (because of the great md5check-tool).
I checked the hacker scripts, I found in the machine, too, and reverted all changes.
And I'm sure, these hackers were not that professional. They deleted the whole /var/log directory. This resulted in some crashes, so I found the attack a few hours later.
Now I'm running on PaX and grsecurity, and I will never forget to update the kernel.
Klaus |
|
Back to top |
|
|
Hollow Retired Dev
Joined: 05 Dec 2003 Posts: 35 Location: Berlin, Germany
|
Posted: Tue Feb 12, 2008 8:24 pm Post subject: |
|
|
since the download is dead, here is a short one-liner that does the job:
Code: |
grep -h ^obj /var/db/pkg/*/*/CONTENTS | sort -u | awk '{print $3 " " $2}' | md5sum -c 2>/dev/null | sed 's/: FAILED.*//;tn;d;:n'
|
|
|
Back to top |
|
|
|