Slashdot Mirror

← Back to Stories (view on slashdot.org)

Known-Good MD5 Database

Posted by timothy on from the damn-good-idea dept.

bgp4 writes "Have you ever examined a system you thought was broken into but you weren't sure? If only you had run an integrity verification program like osiris or Tripwire first you could have figured out what programs had been changed. In an effort to help out in the instances when you can't answer the question "what was this like before?" we've constructed a searchable database of MD5 and SHA-1 hashes for files in many standard operating systems. You can search using the filename or the checksum and see if you have a trojaned binary or an overactive imagination. Currently at knowngoods.org we have many FreeBSD, OS X, Linux, and Solaris installations checksummed and cataloged. If you have other programs or distributions you would like to see in the database, please let us know."

2 of 307 comments (clear)

  1. Re:You know... this brings up a question.... by jcoy42 · · Score: 5, Interesting

    You could start by subscribing to the forensics mailing list over at securityfocus.com. The honeypots list is also of interest.

    Both lists have a fairly good signal-to-noise ratio, and there is a lot of good info to be had.

    If nothing else, it's certainly a good place to ask that exact question.

    You can sign up here.

    --
    Never trust an atom. They make up everything.
  2. Re:Yes, in fact, I have! by Anonymous Coward · · Score: 5, Interesting

    Have to AC this one....

    [ This is a story about why getting "good" checksums to start with is very important. ]

    On a related topic: Ever examined a system you didn't think was broken into, and were sure?

    The sysadmins at my old school did. And they were wrong.

    You see, they connected a new box, the replacement main server, to the LAN, and used an easily-guessable password convention for staff accounts, PRIOR TO RUNNING TRIPWIRE on it. Seems "someone" got in and changed a few key binaries, THEN the admins ran Tripwire. Periodically, when the system got munged and a restore was required, they'd restore the original tapes, Tripwire would yell about a few binaries (including some innocuous distractors), and the admins would dutifully go to backups, find the modified binaries and restore them, figuring they had to be right, because of course, they matched the Tripwire signatures.

    Ya gotta love self-repairing back doors when you're a student at the mercy of admins who work 9-5 M-F, NFS and lpd subsystems that croak only after 10pm or on weekends, and newbies who fill up file systems.

    The local 3-person student root cabal used these back doors for several years, until the machine was replaced. AFAIK, the admins never knew. They had spent much of my undergrad time trying to find SOMETHING I'd done, to punish me for, so if they'd known about this...