Known-Good MD5 Database

bgp4 writes "Have you ever examined a system you thought was broken into but you weren't sure? If only you had run an integrity verification program like osiris or Tripwire first you could have figured out what programs had been changed. In an effort to help out in the instances when you can't answer the question "what was this like before?" we've constructed a searchable database of MD5 and SHA-1 hashes for files in many standard operating systems. You can search using the filename or the checksum and see if you have a trojaned binary or an overactive imagination. Currently at knowngoods.org we have many FreeBSD, OS X, Linux, and Solaris installations checksummed and cataloged. If you have other programs or distributions you would like to see in the database, please let us know."

Yes, in fact, I have!

Have you ever examined a system you thought was broken into but you weren't sure?

Just about every time I've broken into a system! :)

Furthermore,

I need a daemon that will monitor the binaries and check their md5 with this database to keep me secure!

Re:Furthermore,

[CableModemSniper]

I need a daemon that will automatically checksum the daemon. And then a daemon to automatically checksum the checksumming daemon. And a daemon to automatically checksum the daemon checksumming daemon checksumming daemon and a daemon...

Re:What?! No Windows?

Wow! You're right. I mean, how will you know the Klez virus you have is the right one?

config files

[Erpo]

This is great for precompiled binaries, but it won't work so well for config files - they're different from system to system. I have a better solution:

Anyone who wants to make sure their important config files haven't been changed by an intruder can email them to me, and I'll hold on to them for safe keeping. /etc/passwd and /etc/shadow are especially likely to be modified, so I'd recommend sending those right away.

Relief

[eyeball]

Oh good, the md5 hash for my /sbin/md5 binary matches the signature found on known-goods. Now I can sleep at night. oh, wait...

how does this work?

[thogard]

Ok, lets see if I've been hacked...
$ md5 /dev/null
d41d8cd98f00b204e9800998ecf8427e

So I put d41d8cd98f00b204e9800998ecf8427e in the search engine and it came up with 560 hits (compared with 3170 from google).

Now it appears that someone replaced my /dev/null with /private/var/servermgrd/servermgr_dirserv.lock from Mac OS X. What a bummer and its a brand new system too...

Does the database have a way to flag files as being bad? Sa

When I put in 3ac9bc346d736b4a51d676faa2a08a57
I should get back:
*** Trojaned openssh-3.4p1.tar.gz ****

One thing that could make this useful would be a dns like interface...
host 3ac9bc346d736b4a51d676faa2a08a57.knowngoods.org || echo bad

Re:Compromised /bin/md5

You know they say that the average programmer has a bug in every seven lines they write.

Then I must be an above average programmer since I have more than one bug every seven lines!

Re:"False" senses of security

All they have to do is install a bloody kernel module that, *gasp* returns good versions of the binaries after it loads. That stops all checksumming.

The same exact argument applies to the bad guys as applies to the good ones; good guys have limited intelligence and time, and you only have to evade most of them.

You must be a third-year student.

Re:Compromised /bin/md5

[bonzoesc]

What if the hermits' computer components have backdoors that automatically insert backdoors into everything written on them?

You'd have to have sterile hermits manufacturing CDs out of their own feces and urine (sterile) and burning code on them with laser pointers manufactured from the same source with machines made out of (you guessed it!) poop and piss.

Now you know why I hate those filthy asshole hermits.

Re:don't forget the ip address

[Ben+Hutchings]

Will send you the files later. My address is 192.168.1.1.