Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[TOOL] - Md5check - Poor Tripwire - Etc watcher
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Unsupported Software
View previous topic :: View next topic  
Author Message
xchris
Advocate
Advocate


Joined: 10 Jul 2003
Posts: 2824
Location: 45.488291,9.186094

PostPosted: Tue Dec 14, 2004 4:50 pm    Post subject: [TOOL] - Md5check - Poor Tripwire - Etc watcher Reply with quote

Code:

wget http://www.xchris.net/download.php?file=files/md5check.tar.gz -O md5check.tar.gz


http://www.xchris.net/download.php?file=files/md5check.tar.gz

Did you know that portage has a builtin md5 entry for every file installed by portage?

So...we can realize:
- a poor man tripwire (but effortless)
- a general way for file change or miss check

That's what md5check is!
An example:

Let's see which file of shorewall firewall i changed and maybe i want to save
Code:

root@lyra md5check # ./md5check shorewall

* net-firewall/shorewall-2.0.7

  -Changed-     /etc/shorewall/masq
--NOT FOUND      /etc/shorewall/zones
  -Changed-     /etc/shorewall/shorewall.conf
  -Changed-     /etc/shorewall/policy
  -Changed-     /etc/shorewall/interfaces
  -Changed-     /etc/shorewall/rules


so i also discovered i miss one file :) (moved before ;))

you could also specifcy a pattern to match after package (if you wanna check only a directory)

type md5check -h for simple help.
Bye
_________________
while True:Gentoo()


Last edited by xchris on Sat Feb 26, 2005 10:24 am; edited 2 times in total
Back to top
View user's profile Send private message
blue.sca
l33t
l33t


Joined: 28 Aug 2003
Posts: 680
Location: Mainz, Germany

PostPosted: Tue Dec 14, 2004 5:29 pm    Post subject: Reply with quote

cool, could be handy sometimes...
_________________
geek by nature, linux by choice
i want my avatar back... thank you
:wq
Back to top
View user's profile Send private message
FonderiaDigitale
Veteran
Veteran


Joined: 06 Nov 2003
Posts: 1710
Location: Rome, Italy

PostPosted: Wed Dec 15, 2004 12:40 am    Post subject: Reply with quote

[LINGUISTA]poors' tripwire[/LINGUISTA] ;)
_________________
Come disse un amico, i sistemisti sono un po' come gli artigiani per l'informatica :)
Back to top
View user's profile Send private message
xbmodder
Guru
Guru


Joined: 25 Feb 2004
Posts: 404

PostPosted: Wed Dec 15, 2004 2:54 am    Post subject: Reply with quote

is this a backdoor?
Back to top
View user's profile Send private message
xchris
Advocate
Advocate


Joined: 10 Jul 2003
Posts: 2824
Location: 45.488291,9.186094

PostPosted: Wed Dec 15, 2004 6:05 am    Post subject: Reply with quote

to be honest ...dear friend FonderiaDigitale.. it's "poor man.." :)

a backdoor? :lol: Noooooo
Look at the code :)
_________________
while True:Gentoo()
Back to top
View user's profile Send private message
revertex
l33t
l33t


Joined: 23 Apr 2003
Posts: 806

PostPosted: Thu Dec 16, 2004 3:26 pm    Post subject: Reply with quote

Code:
#md5check



Md5Check  0.1_pre1 -   Tool for portage md5 checks

!!! You Must supply at least package name

Type md5clean -h for help screen


Code:
# md5clean -h
bash: md5clean: command not found
Back to top
View user's profile Send private message
xchris
Advocate
Advocate


Joined: 10 Jul 2003
Posts: 2824
Location: 45.488291,9.186094

PostPosted: Thu Dec 16, 2004 3:48 pm    Post subject: Reply with quote

ooooops :)
md5check -h :lol:

I'll fix it...Thank You!

EDIT:uploaded! same position..
_________________
while True:Gentoo()
Back to top
View user's profile Send private message
revertex
l33t
l33t


Joined: 23 Apr 2003
Posts: 806

PostPosted: Sun Dec 19, 2004 3:54 pm    Post subject: Reply with quote

thank's, great tool, nice colors, thumb's up! :D
Back to top
View user's profile Send private message
revertex
l33t
l33t


Joined: 23 Apr 2003
Posts: 806

PostPosted: Mon Dec 20, 2004 1:20 pm    Post subject: Reply with quote

xchris,
jus a little question, suppose i've got "foo-v1.0" installed, then i sync portage and it show a new foo version v1.1, will md5check check the sig against the installed version (foo-v1.0) or against the latest version found in portage (foo-v1.1) ?
Back to top
View user's profile Send private message
xchris
Advocate
Advocate


Joined: 10 Jul 2003
Posts: 2824
Location: 45.488291,9.186094

PostPosted: Mon Dec 20, 2004 1:23 pm    Post subject: Reply with quote

it will always look for installed packages as we do not know md5 digest for uninstalled packages. (portage calculates it and then write it down in CONTENT file in /var/db/pkg)

bye :)
_________________
while True:Gentoo()
Back to top
View user's profile Send private message
revertex
l33t
l33t


Joined: 23 Apr 2003
Posts: 806

PostPosted: Tue Dec 28, 2004 2:00 pm    Post subject: Reply with quote

any way to md5check work like fcheck?
Back to top
View user's profile Send private message
xchris
Advocate
Advocate


Joined: 10 Jul 2003
Posts: 2824
Location: 45.488291,9.186094

PostPosted: Wed Jan 26, 2005 9:40 am    Post subject: Reply with quote

revertex wrote:
any way to md5check work like fcheck?


sorry... imissed your post.
What do you mean?
bye
_________________
while True:Gentoo()
Back to top
View user's profile Send private message
Gherald
Veteran
Veteran


Joined: 23 Aug 2004
Posts: 1399
Location: CLUAConsole

PostPosted: Mon Apr 04, 2005 10:40 am    Post subject: Reply with quote

Wow, I didn't realize portage kept track of MD5s for every installed file...

There should be an etc-update (or dispatch-conf, or whatever) that uses this information to auto-merge config files in /etc that haven't changed since the package was last installed.

EDIT: Scratching my own itch... :)
Back to top
View user's profile Send private message
mauricev
Tux's lil' helper
Tux's lil' helper


Joined: 22 Mar 2004
Posts: 107

PostPosted: Tue Apr 05, 2005 10:29 pm    Post subject: Reply with quote

When I try it on "sudo", I get

Code:

maurice@thewarehouse4 ~/md5check $ ./md5check sudo-1.6.7_p5-r2

* app-admin/sudo-1.6.7_p5-r2

--NOT FOUND      /usr/bin/sudo
--NOT FOUND      /etc/sudoers
--NOT FOUND      /usr/sbin/visudo


But when I looked manually, I found them:

Code:

maurice@thewarehouse4 /var/db/pkg/app-admin/sudo-1.6.7_p5-r2 $ more CONT*
 
...
obj /usr/bin/sudo a0d7d6f9d78c955532c96c32f64c409e 1104042368
...
obj /usr/sbin/visudo 70952bbc9fa36ff63da9692f08f50da1 1104042368
...
obj /etc/sudoers 541d349d91e9c84bec654e53b02f62de 1104042368


So it appears to be falsely reporting they are missing their md5sums.

Quote:
What do you mean?


By the way, this is fcheck: http://www.geocities.com/fcheck2000/fcheck.html
Back to top
View user's profile Send private message
xchris
Advocate
Advocate


Joined: 10 Jul 2003
Posts: 2824
Location: 45.488291,9.186094

PostPosted: Tue Apr 05, 2005 10:37 pm    Post subject: Reply with quote

mauricev wrote:

But when I looked manually, I found them:

[cut ..]
So it appears to be falsely reporting they are missing their md5sums.

It means you miss those files.
Try:

Code:

ls -l /usr/bin/sudo
ls -l /etc/sudoers
ls -l /usr/sbin/visudo



let me know if it'a a md5 check problem.


thank you for fcheck ;)
_________________
while True:Gentoo()
Back to top
View user's profile Send private message
mauricev
Tux's lil' helper
Tux's lil' helper


Joined: 22 Mar 2004
Posts: 107

PostPosted: Tue Apr 05, 2005 11:20 pm    Post subject: Reply with quote

I am actually using "sudo" to display the md5sums of those files :D



Code:

maurice@thewarehouse4 ~ $ sudo md5sum /usr/bin/sudo /etc/sudoers /usr/sbin/visudo

a0d7d6f9d78c955532c96c32f64c409e  /usr/bin/sudo
35c3c076fdbe8f4aaf66cb4ed15d2619  /etc/sudoers
70952bbc9fa36ff63da9692f08f50da1  /usr/sbin/visudo


The sums match except for the sudoers file, which should be different because it's the config file.


So what could be going on?
Back to top
View user's profile Send private message
mauricev
Tux's lil' helper
Tux's lil' helper


Joined: 22 Mar 2004
Posts: 107

PostPosted: Tue Apr 05, 2005 11:41 pm    Post subject: Reply with quote

My bad. :oops:

I ran md5check without sudo. It doesn't have permission to operate on those files unless it's root.

Anyway, it's neat program. :idea: But how do I use it? That is, if it always reports

Code:

-Changed-     /etc/sudoers


how will that tell me anything?
Back to top
View user's profile Send private message
Gherald
Veteran
Veteran


Joined: 23 Aug 2004
Posts: 1399
Location: CLUAConsole

PostPosted: Wed Apr 06, 2005 12:12 am    Post subject: Reply with quote

mauricev wrote:
But how do I use it? That is, if it always reports:
Code:
-Changed-     /etc/sudoers

how will that tell me anything?

It tells you whether any files installed by a package have changed. That is md5check's purpose.

My md5-update script uses the same information to integrate with etc-update and determine if a config file that needs updating has not changed since it was originally installed. If the config wasn't altered since it was last installed, md5-update offers to replace it with the "._cfg????_*" update on the spot thus allowing etc-update to only deal with files that have changed e.g. /etc/sudoers in your case.
Back to top
View user's profile Send private message
ziererk
n00b
n00b


Joined: 26 Mar 2004
Posts: 32
Location: Germany

PostPosted: Wed Jul 13, 2005 9:17 pm    Post subject: Greatly thanks for your tool! Reply with quote

My system got compromised and I didn't run any tool like tripwire. With your tool I can find out with packages I have to reemerge, to get a clean system again. Thanks!

Klaus
Back to top
View user's profile Send private message
mauricev
Tux's lil' helper
Tux's lil' helper


Joined: 22 Mar 2004
Posts: 107

PostPosted: Wed Jul 13, 2005 10:10 pm    Post subject: Reply with quote

Quote:
My system got compromised and I didn't run any tool like tripwire. With your tool I can find out with packages I have to reemerge, to get a clean system again


Once a system is compromised, it seems reasonable to assume everything has been compromised, and you should reinstall from a known clean backup.
Back to top
View user's profile Send private message
ziererk
n00b
n00b


Joined: 26 Mar 2004
Posts: 32
Location: Germany

PostPosted: Wed Jul 13, 2005 10:19 pm    Post subject: Reply with quote

Quote:
Once a system is compromised, it seems reasonable to assume everything has been compromised, and you should reinstall from a known clean backup.


I waited for such an answer.
1. Be not paranoid. Who guarantees me, that the Gentoo-Servers are not compromised? And even then... remember the hack in the tcpdump source
2. This is a production server. I cannot reinstall just for fun where 100 domains with email, some other server daemons etc. are running
3. I don't have the time it
4. I have limited backup space, so I just backup the data, not the system

Klaus
Back to top
View user's profile Send private message
mauricev
Tux's lil' helper
Tux's lil' helper


Joined: 22 Mar 2004
Posts: 107

PostPosted: Wed Jul 13, 2005 11:05 pm    Post subject: Reply with quote

Quote:
2. This is a production server. I cannot reinstall just for fun where 100 domains with email, some other server daemons etc. are running



(If it were me, I would format the drives, reinstall the OS fresh and restore the data from backup. That means serious downtime, but what if it turns out something got left behind, a sinister trojan, which sends cc email for outgoing email randomly to other outgoing addresses? I'm not a lawyer, but I wonder if you could have legal liability if those domains are paying customers.)


Quote:
4. I have limited backup space, so I just backup the data, not the system


Isn't the system a relatively small fixed size? You might want to consider doing a stage4 backup, https://forums.gentoo.org/viewtopic-t-146750-highlight-stage4.html
Back to top
View user's profile Send private message
xchris
Advocate
Advocate


Joined: 10 Jul 2003
Posts: 2824
Location: 45.488291,9.186094

PostPosted: Thu Jul 14, 2005 7:44 am    Post subject: Reply with quote

@mauricev: your solution is not alway appliable... (downtimes)

@ziererk: glad to hear you found md5check usefull. Less glad to know you had to use it.. :S
_________________
while True:Gentoo()
Back to top
View user's profile Send private message
ziererk
n00b
n00b


Joined: 26 Mar 2004
Posts: 32
Location: Germany

PostPosted: Thu Jul 14, 2005 5:25 pm    Post subject: Reply with quote

Quote:
(If it were me, I would format the drives, reinstall the OS fresh and restore the data from backup. That means serious downtime, but what if it turns out something got left behind, a sinister trojan, which sends cc email for outgoing email randomly to other outgoing addresses? I'm not a lawyer, but I wonder if you could have legal liability if those domains are paying customers.)


If there is something left behind, how get it activated? All bootscripts and profile-scripts were checked and/or replaced. After searching with chkrootkit and rkhunter, I searched in every directory by hand. The recovery took me nearly 2 complete days, and I think, its nearly impossible that anything bad survived (because of the great md5check-tool).
I checked the hacker scripts, I found in the machine, too, and reverted all changes.

And I'm sure, these hackers were not that professional. They deleted the whole /var/log directory. This resulted in some crashes, so I found the attack a few hours later.

Now I'm running on PaX and grsecurity, and I will never forget to update the kernel.

Klaus
Back to top
View user's profile Send private message
Hollow
Developer
Developer


Joined: 05 Dec 2003
Posts: 35
Location: Berlin, Germany

PostPosted: Tue Feb 12, 2008 8:24 pm    Post subject: Reply with quote

since the download is dead, here is a short one-liner that does the job:

Code:

grep -h ^obj /var/db/pkg/*/*/CONTENTS | sort -u | awk '{print $3 "  " $2}' | md5sum -c 2>/dev/null | sed 's/: FAILED.*//;tn;d;:n'
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Unsupported Software All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum