Slashdot Mirror
Known-Good MD5 Database
bgp4 writes "Have you ever examined a system you thought was broken into but you weren't sure? If only you had run an integrity verification program like osiris or Tripwire first you could have figured out what programs had been changed. In an effort to help out in the instances when you can't answer the question "what was this like before?" we've constructed a searchable database of MD5 and SHA-1 hashes for files in many standard operating systems. You can search using the filename or the checksum and see if you have a trojaned binary or an overactive imagination. Currently at knowngoods.org we have many FreeBSD, OS X, Linux, and Solaris installations checksummed and cataloged. If you have other programs or distributions you would like to see in the database, please let us know."
This is great for precompiled binaries, but it won't work so well for config files - they're different from system to system. I have a better solution:
/etc/passwd and /etc/shadow are especially likely to be modified, so I'd recommend sending those right away.
Anyone who wants to make sure their important config files haven't been changed by an intruder can email them to me, and I'll hold on to them for safe keeping.
Ok, lets see if I've been hacked... /dev/null
/dev/null with /private/var/servermgrd/servermgr_dirserv.lock from Mac OS X. What a bummer and its a brand new system too...
$ md5
d41d8cd98f00b204e9800998ecf8427e
So I put d41d8cd98f00b204e9800998ecf8427e in the search engine and it came up with 560 hits (compared with 3170 from google).
Now it appears that someone replaced my
Does the database have a way to flag files as being bad? Sa
When I put in 3ac9bc346d736b4a51d676faa2a08a57
I should get back:
*** Trojaned openssh-3.4p1.tar.gz ****
One thing that could make this useful would be a dns like interface...
host 3ac9bc346d736b4a51d676faa2a08a57.knowngoods.org || echo bad