Known-Good MD5 Database

bgp4 writes "Have you ever examined a system you thought was broken into but you weren't sure? If only you had run an integrity verification program like osiris or Tripwire first you could have figured out what programs had been changed. In an effort to help out in the instances when you can't answer the question "what was this like before?" we've constructed a searchable database of MD5 and SHA-1 hashes for files in many standard operating systems. You can search using the filename or the checksum and see if you have a trojaned binary or an overactive imagination. Currently at knowngoods.org we have many FreeBSD, OS X, Linux, and Solaris installations checksummed and cataloged. If you have other programs or distributions you would like to see in the database, please let us know."

Yes, in fact, I have!

Have you ever examined a system you thought was broken into but you weren't sure?

Just about every time I've broken into a system! :)

Re:Yes, in fact, I have!

Have to AC this one....

[ This is a story about why getting "good" checksums to start with is very important. ]

On a related topic: Ever examined a system you didn't think was broken into, and were sure?

The sysadmins at my old school did. And they were wrong.

You see, they connected a new box, the replacement main server, to the LAN, and used an easily-guessable password convention for staff accounts, PRIOR TO RUNNING TRIPWIRE on it. Seems "someone" got in and changed a few key binaries, THEN the admins ran Tripwire. Periodically, when the system got munged and a restore was required, they'd restore the original tapes, Tripwire would yell about a few binaries (including some innocuous distractors), and the admins would dutifully go to backups, find the modified binaries and restore them, figuring they had to be right, because of course, they matched the Tripwire signatures.

Ya gotta love self-repairing back doors when you're a student at the mercy of admins who work 9-5 M-F, NFS and lpd subsystems that croak only after 10pm or on weekends, and newbies who fill up file systems.

The local 3-person student root cabal used these back doors for several years, until the machine was replaced. AFAIK, the admins never knew. They had spent much of my undergrad time trying to find SOMETHING I'd done, to punish me for, so if they'd known about this...

What about source builds?

Wouldn't this be useless to anybody that builds from source?

Re:What about source builds?

[Cerlyn]

Indeed; the capability of such a system is a bit limited with operating systems like FreeBSD, which actively *encourage* their users to build/rebuild from sources. IIRC, FreeBSD actually only gives intermediate security updates in source code format so you have to compile them (not too hard: cd /usr/src ; make buildworld).

So, recording the checksum to /bin/ls, etc. is a bit flawed in that when I do a "make buildworld", my custom configuration parameters from /etc/make.conf get used, overriding CPU type, if Xfree86 is installed, etc. Since my system's parameters likely will not match FreeBSD's master build system, there is a high chance that the checksums after I do a rebuild are significantly different.

But for non-source distributions (Redhat, etc.) this concept is excellent, assuming that no one compromises the database or the OS kernel. Unfortunately, no database checksummer will ever counteract the case when the OS kernel itself is compromised, potentially returning one file when scanned and another when executed.

Still, it wouldn't hurt for them to record source file checksums as well; after all, having an independant checksumming group would require them to be compromised as well as the FTP network, making an attacker's life harder.

Re:What about source builds?

[pVoid]

Indeed.

In fact, this system would be best suited for systems which aren't OSS... such as windows =)

crowd boos... stones and rotten tomatoes fly as author runs for cover

:)

Re:What about source builds?

[pVoid]

Yes, the Win32 PE format (portable executable) has a checksum field which is 'normally' not used.

It *is* checked for *some* critical system images however... I know for sure that some files in /system32 (so called 'KnownDlls') are among this list.

Note though, that this checksum is to prevent accidental data corruption and not maintain system security integrity; since the checksum field is actually in the file itself, it can be updated after a virus/haxxor has patched the target file.

Re:What about source builds?

[deranged+unix+nut]

Unless your compiler, linker, assembler, libraries, or source code have been modified.

Sheesh, dosen't anyone read old ACM articles?

http://www.acm.org/classics/sep95/

At some point, unless you build your system from scratch, cross compile on multiple systems, burn your own BIOS ROM, and write the microcode for your NIC and all other interface devices, you are trusting *SOMEONE ELSE* for the security of your system.

ooooo nifty

[netwiz]

I've been wondering when something along these lines would be available.

[devil's advocate] However, how do we know that the pregenerated checksums are correct? Who watches the watchers? [/devil's advocate]

Yah, yah, I know, the easiest way is to inspect the source for the minicompiler, the main compiler, and the program by hand, then build all of them step-by-step until you're done, then use the final binary to generate your hash. I wonder, tho, how much drift might there be in using a pre-built compiler (say I D/Led the binaries for GCC and the libraries to go with it). One tiny change in machine state (or any other number of things I would suppose) could result in the final binary being a single byte off, and the whole thing's a wash.

Granted, I may be talking out of my ass here, could someone w/ some hard-core coding knowledge or CS experience expound on the above?

What about Windows OS?

[scubacuda]

I didn't see the ability to search for Windows MD5 hashes.

Considering its history of vulnerabilities, I'd think that this would be pretty important...

Re:What about Windows OS?

[kubrick]

What about viruses that change the structure of the files they infect? Especially ones that haven't been spotted by the anti-virus firms yet (rare, I know, because they probably develop and release most of them).

Also, can't people still use disassemblers to 'crack' files, and maybe add backdoors at the same time?

Both of these activities would be reflected by checksum changes.

Compromised /bin/md5

[Cadre]

What they don't say and what a lot of security folks forget to do is that they can't check your checksums of binaries on the same box. You need to copy the files to another box and check the checksums there with a known good version of your checksumming binary. The local version of your checksumming binary could have been compromised.

Heck, the utilities you used to pull the binary off the machine in question could have been compromised and may not be actually copying the binary in question, but a good version of the binary. The only way to check this would be to mount the drive on another machine and check it there... And if people aren't doing that (which it's a pain in the ass) all this website is going to do is give people a false sense of security.

Polymorphic files

[cperciva]

There is one problem with this: Some files are going to be different every time they are compiled. In particular, quite a few files include time stamps.

A few months ago I put together a list of the "polymorphic" files in FreeBSD 4.6:

/kernel, /boot/loader, and /boot/pxeboot all contain user, host, time, and date stamps, as expected.

All .a files (126 in /usr/lib, one in /usr/libdata/perl/5.00503/mach/auto/DynaLoader) contain indices of .o files, including seconds-since-epoch stamps

User, host, time, and date stamps are found in /etc/mail/freebsd.cf /usr/sbin/named /usr/libexec/named-xfer

Time and date stamps are found in: /usr/bin/suidperl /usr/bin/ntpq /usr/sbin/ntp(d|date|dc|timeset|trace) /usr/sbin/isdn(d|debug|monitor|phone|telctl) /usr/libdata/perl/5.00503/mach/perllocal.pod

Date stamps are found in: /usr/sbin/ppp /var/db/port.mkversion /usr/share/doc/usd/(07.mail|13.viref|18.msdiffs|19 .memacros|20.meref)/paper.ascii.gz (once you ungzip them) /usr/share/perl/man/man3/(Config|DynaLoader).3.gz (once you ungzip them)

Files which are always the same size, but have randomized contents: /usr/share/games/fortune/*.dat /var/games/phantasia/void

These files are always going to set off alarms if you've upgraded-by-source. (On the other hand, if a file *not* on this list has a different checksum, it probably just means that you've applied a security patch.)

Re:So what about the obvious scenario...

[BitHive]

Then I imagine that as soon as someone changes a hash, many secure systems will indicate they've been comprimised, and the whole thing will be quite obvious to sort out.

md5sum Binary Might Be Trojaned

[John+Hasler]

Boot from a known good floppy or CD to check your md5sums.

Filtered as a "Hacking" site

[KidSock]

Mu corporate www proxy filters this site as category "Hacking".

config files

[Erpo]

This is great for precompiled binaries, but it won't work so well for config files - they're different from system to system. I have a better solution:

Anyone who wants to make sure their important config files haven't been changed by an intruder can email them to me, and I'll hold on to them for safe keeping. /etc/passwd and /etc/shadow are especially likely to be modified, so I'd recommend sending those right away.

Something's wrong here

[phr2]

If we need an external database of md5's to authenticate so many different files, that means that md5's weren't really the right authentication method to begin with. It's better to use digital signatures.

The fancy way to do that is with an Authenticode-like system for signing files. Distro maintainers would sign the files in their distros, and users could also sign their own files. A simpler way would be to just have a big, signed list of md5's in some file that tripwire checks against. Tripwire would check the signature on the file before believing the md5's in it. Or the list could contain individual signatures per file instead of just hashes.

A centralized md5 database doesn't feel so right with the free software spirit, which says (legitimate) users could modify the files at any time, or just recompile them with a slightly different compiler, etc.

Debian / debsums

[zsazsa]

Debian has this built into the OS with debsums.

It does require a legit dpkg database (and md5sum, and the debsums program itself...) but it's a nice tool.

Another Resource

[Taim]

NIST (The National Institute of Standards and Technology) currently has a program to provide this service, though largely focused on Microsoft OSes and associated apps. It may be found here: National Software Reference Library

The complete list of software they've checksummed can be found here: Software Listing or you can use their search engine if you're looking for a specific application here: Search Engine

Bleah

[digitaltraveller]

NIST does this too. For a different reason though. To help forensic examiners eliminate non-important data in a suspect's computer. They use 4 different hash algorithms (MD5, SHA-1, CRC32, and one other), so good luck finding a collision for all 4. They were giving out copies of the CD-hashdb at an InfoSec conference I was at recently.

Re:Useless for RPM-Based Distribuitons

[Mnemia]

I'd also mention that it appears to be useless for BSD or Gentoo-like systems as well. BSD because it's built form source and the fingerprints won't always match, and Gentoo because there's already something like this built directly into the system, at least for verifying source tarballs.

Gentoo checks the md5sum of each tarball against another file containg the known value every time it installs something. The md5sums and the sources are obtained from different servers, so a lot of the risk of trojans is removed. Granted, this doesn't do continuous monitoring like this does, but it helps ensure you don't install something bad. The biggest worry now with this system could be vulnerable if several mirrors are hacked. They're working to replace it with a private-key signed system, which is much better than and md5 based system. The reason being that, that you can verify _who_ created the checksum in addition to that the checksum matches the file.

So, I'm not sure what the real benefit of this system is. It seems to be duplicating a lot of features that really should be built into the package manager ideally. Maybe someday we'll have package managers that actually watch their packages in realtime w/ strong crypto to make sure things are still good. That would be very cool.

Excellent!

[defile]

Now I can add a compromised md5sum to my rootkit which uses values from this site.

Go team!

"False" senses of security

[Hizonner]

Spoken like a true second-year student.

The reality of the matter is that, while it certainly would be possible for somebody to gag a machine to evade all your wascally checksumming tricks, they frequently don't do so. And when they do it, there's the usual arms-race lag between the time when a new method of checking comes out and when they update their tools to evade it. And there's a cost to them for each defense they evade; if you want to avoid every defense you ever hear of, you basically have to roll your own rootkits, which is a huge time investment.

And a kiddie who's out there collecting hundreds of boxes has no particular incentive to be anal about holding onto yours.

... and everybody makes mistakes. Yes, you're right, looking at checksums gives you absolutely no security against omniscient adversaries with infinite resources. Luckily, real adversaries are not omniscient and have limited resources. Yes, you'll even miss some of the real adversaries. You'll also catch some. Probably a lot. Nothing is perfect. Deal with it.

Fucking pompous amateurs.

Er, rpm -V?

[SlashChick]

For Red Hat-based systems, at least, rpm -V will do pretty much exactly what you're looking for.

From the man page for rpm:

The general form of an rpm verify command is

rpm {-V|--verify} [select-options] [--nodeps] [--nofiles] [--nomd5] [--noscripts]

Verifying a package compares information about the installed files in the package with
information about the files taken from the package metadata stored in the rpm database. Among other things, verifying compares the size, MD5 sum, permissions, type, owner and group of each file. Any discrepencies are displayed. ... The (mnemonically emBoldened) character denotes failure of the corresponding --verify test:

S file Size differs

M Mode differs (includes permissions and file type)

5 MD5 sum differs

D Device major/minor number mis-match

L readLink(2) path mis-match

U User ownership differs

G Group ownership differs

T mTime differs


So while that's a bit cryptic, a shell script run once every x days (30? 14?) should tell you what files have changed. All you would have to do is run rpm -qa to grab a list of the packages in your system, and then loop through the list and run rpm -V for each RPM returned.

For instance, running rpm -V on two common packages, Apache and PHP, shows me the following:
# rpm -V php
S.5....T c /etc/php.ini
(php.ini has changed... which in this case means I've tweaked some of PHP's default settings.)

# rpm -V apache
S.5....T c /etc/httpd/conf/httpd.conf
missing /var/www/html/index.html
missing /var/www/html/poweredby.png
(Okay, I've changed httpd.conf, again pretty much a given, and I've removed a couple of the default files.)

I guess this website seems pretty unneeded to me. Granted, the above is just for RPM-based systems, but I'm sure Debian and ports have similar options. And to the people who have installed from source and say "What about me?", I say, first, never underestimate the power of a package management system, and second, check out CheckInstall, which allows you to create an RPM or DEB just by saying "checkinstall" instead of "make install". If you feel you must compile from source, checkinstall is a necessity! Using checkinstall gives you all the benefits of a package management system while still allowing for the flexibility that compiling from source provides.

Between checkinstall and up2date, I'm a very happy Red Hat customer. I just wish more people knew about some of the truly powerful things in package management systems (such as the verify command detailed above.) Package management systems are there for a reason. Use them! :)

Re:But what happens...

[kasperd]

when they trojan your MD5 checksummer?

Then your compromised system might apear to be clean. I have actually seen a system where that has happened. But the intruder forgot to trojan the rpm executable, "rpm -Va" revealed everything. But had the intruder trojaned the rpm executable too, that wouldn't have worked. The only secure way to use the verification tool is to boot from a readonly media and run the tool from there.

how does this work?

[thogard]

Ok, lets see if I've been hacked...
$ md5 /dev/null
d41d8cd98f00b204e9800998ecf8427e

So I put d41d8cd98f00b204e9800998ecf8427e in the search engine and it came up with 560 hits (compared with 3170 from google).

Now it appears that someone replaced my /dev/null with /private/var/servermgrd/servermgr_dirserv.lock from Mac OS X. What a bummer and its a brand new system too...

Does the database have a way to flag files as being bad? Sa

When I put in 3ac9bc346d736b4a51d676faa2a08a57
I should get back:
*** Trojaned openssh-3.4p1.tar.gz ****

One thing that could make this useful would be a dns like interface...
host 3ac9bc346d736b4a51d676faa2a08a57.knowngoods.org || echo bad

Solaris Fingerprint Database

[nbvb]

Sun already provides this for Solaris.

http://sunsolve.Sun.COM/pub-cgi/fileFingerprints .p l

It contains information for:

Operating Systems

Solaris SPARC - 2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.5.1, 2.6, Solaris 7 and Solaris 8
Solaris x86 - 2.1, 2.4, 2.5, 2.5.1, 2.6, Solaris 7 and Solaris 8
Solaris PPC - 2.5.1
Trusted Solaris SPARC - 2.5, 2.5.1 and 7
Trusted Solaris 7 x86
Most CDs bundled with Solaris 2.6 and later.

Patches

Nearly all released Solaris patches, including all SunSolve CDs to date. (4.0.11)
All Solaris 2.6/7 Maintenance updates.
All patches available from SunSolve.

Unbundled Products

Around 150 CDs with unbundled products are included. If you are missing any particular product, please feel free to send email and we will try to include it as soon as possible.

What about AIDE?

[strobert]

the poster mentions Tripwaire, but what about AIDE?
In additon to being a proper Open Source project, it allows for features that (last I heard at any rate) tripwire doesn't support, like a centralized checksum DB. That feature alone makes the tool superior (IMHO). For example it makes the verification process a lot nicer (intruder can't courrpt the local md5sum's because there aren't any).

Re:You know... this brings up a question....

[jcoy42]

You could start by subscribing to the forensics mailing list over at securityfocus.com. The honeypots list is also of interest.

Both lists have a fairly good signal-to-noise ratio, and there is a lot of good info to be had.

If nothing else, it's certainly a good place to ask that exact question.

You can sign up here.

Versions?

[tconnors]

OK - debian seemed to have one version there - r5, whatever that is. How does it handle apt-get upgrades? If r5 is reffering to something like stable, then even stable changes over time (contrary to what some poeple think ;-). So do they take the checksums from a machine that was just apt-get upgraded last night, or what? If they mean an actual yearly or half yearly release, who on this world does not apt-get upgrade when there is a security fix released? So your system sure as hell aint going to match theirs.

Then I can't imagine how you would be able to automate this, so it checks all the binaries in /bin /sbin, /usr/sbin etc - do they have some alternative to HTTP for their database?

Doesn't seem overly useful to me....

Straightforward solution

[zunger]

I found a fairly straightforward solution to this problem. I wrote a small wrapper around a known-good md5 function, compiled it and placed it in a nonstandard location. (Thus it doesn't have a widely recognizeable filesize or md5 to be detected and stomped) Then I wrote a simple shell script which checksums various critical files on a regular basis and tests the MD5 values against a record it keeps, again in a private location. Whenver a change happens, it sets off alarm bells all over the place, both in syslogs and on the console.

On top of this I stuck in one small bit of shell script that allowed me to modify a file myself without setting off alarms - it simply recalculated the md5 value and updated the record files.

I suppose this is theoretically vulnerable to an attacker reading through /etc/crontab, then checking each local shell script for a sensor and carefully overwriting my own nonstandard code - but if any attacker has that much free time on his hands, there's a limit to how much of a sensor I can implement.

The nice thing about this code is that it also implicitly tests for corruption of critical files after fsck-triggering events like kernel panics or total power failures. (That's actually what prompted its initial writing) And it's remarkably trivial to implement, even more so if one simply copies an off-the-shelf md5 binary rather than compiling one's own wrapper.