[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Checksums for OpenBSD system files

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: Checksums for OpenBSD system files
From: "Stephan F Andre" <andres_(_at_)_pilot_(_dot_)_msu_(_dot_)_edu>
Date: Tue, 4 Dec 2001 10:46:34 -0500 (EST)
Cc: andres_(_at_)_pilot_(_dot_)_msu_(_dot_)_edu (Stephan F Andre)

  Checksums aren't so trusted, but cryptographic checksums
  such as md5 are far more secure, and is what should be
  used here.

  If I had a system that I wanted to check the files on, I'd
  bring over a statically linked md5--don't forget about
  purloined libraries...

  Better still, take the disk from the suspect machine and
  stuff it onto a known good machine, boot with the known
  good disk and then mount the suspect disk and do your
  checking.

  --STeve Andre'

  >
  > Checksums/hashes are by no means a sure thing.  I've never encountered them
  > myself, but there are some nasty rootkits out there that make it very very
  > difficult to trust the output of any part of your system *after* it's been
  > compromised.
  >
  > -Mike
  >
  > At 06:01 AM 12/4/2001 +0100, Tom wrote:
  > >On Tue, Dec 04, 2001 at 03:15:09AM -0000, Dr. Evil wrote:
  > > > Hi, I am trying to find out if my BSD machine has possibly been
  > > > hacked.  I realize that the ideal thing to do if there is any question
  > > > is to wipe the machine and reinstall, but I have absolutely no
  > > > physical access at this time, so that's not an option.  What I would
  > > > like to do is to get a list of the MD5 sums of all the important files
  > > > in the standard install.  Is there such a list?  Or should I download
  > > > the images, unpack them and md5 them?  This is with 2.8, btw.
  > >
  > >speaking of that, *if* the machine got hacked, there is no way you can
  > >get a negative confirmation. anything on the hacked system may be
  > >modified, including md5sum.
  > >
  > >that said, if you want to be reasonably sure, at least copy over your
  > >own md5sum and preferably at least one more such tool (shasum?), maybe
  > >even your own shell to work with. while sshd is most likely trojaned as
  > >well, it is unlikely that it will intelligently modify binaries in-transit.


  > >that still leaves the filesystem and kernel, though.
  > >
  > >good hunting. :)
  > >
  > >--
  > >http://web.lemuria.org/pubkey.html
  > >pub  1024D/D88D35A6 2001-11-14 Tom Vogt <tom_(_at_)_lemuria_(_dot_)_org>
  > >      Key fingerprint = 276B B7BB E4D8 FCCE DB8F  F965 310B 811A D88D 35A6

Prev by Date: Re: Roadrunner trouble....
Next by Date: Script for adduser
Previous by thread: Re: Checksums for OpenBSD system files
Next by thread: Roadrunner trouble....
Index(es):
- Date
- Thread

Visit your host, monkey.org