Slashdot Mirror
Known-Good MD5 Database
bgp4 writes "Have you ever examined a system you thought was broken into but you weren't sure? If only you had run an integrity verification program like osiris or Tripwire first you could have figured out what programs had been changed. In an effort to help out in the instances when you can't answer the question "what was this like before?" we've constructed a searchable database of MD5 and SHA-1 hashes for files in many standard operating systems. You can search using the filename or the checksum and see if you have a trojaned binary or an overactive imagination. Currently at knowngoods.org we have many FreeBSD, OS X, Linux, and Solaris installations checksummed and cataloged. If you have other programs or distributions you would like to see in the database, please let us know."
Wouldn't this be useless to anybody that builds from source?
I've been wondering when something along these lines would be available.
[devil's advocate] However, how do we know that the pregenerated checksums are correct? Who watches the watchers? [/devil's advocate]
Yah, yah, I know, the easiest way is to inspect the source for the minicompiler, the main compiler, and the program by hand, then build all of them step-by-step until you're done, then use the final binary to generate your hash. I wonder, tho, how much drift might there be in using a pre-built compiler (say I D/Led the binaries for GCC and the libraries to go with it). One tiny change in machine state (or any other number of things I would suppose) could result in the final binary being a single byte off, and the whole thing's a wash.
Granted, I may be talking out of my ass here, could someone w/ some hard-core coding knowledge or CS experience expound on the above?
Considering its history of vulnerabilities, I'd think that this would be pretty important...
What they don't say and what a lot of security folks forget to do is that they can't check your checksums of binaries on the same box. You need to copy the files to another box and check the checksums there with a known good version of your checksumming binary. The local version of your checksumming binary could have been compromised.
Heck, the utilities you used to pull the binary off the machine in question could have been compromised and may not be actually copying the binary in question, but a good version of the binary. The only way to check this would be to mount the drive on another machine and check it there... And if people aren't doing that (which it's a pain in the ass) all this website is going to do is give people a false sense of security.
All editorial writers ever do is come down from the hill after the battle is over and shoot the wounded.
A few months ago I put together a list of the "polymorphic" files in FreeBSD 4.6:
These files are always going to set off alarms if you've upgraded-by-source. (On the other hand, if a file *not* on this list has a different checksum, it probably just means that you've applied a security patch.)
Tarsnap: Online backups for the truly paranoid
Boot from a known good floppy or CD to check your md5sums.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
This is great for precompiled binaries, but it won't work so well for config files - they're different from system to system. I have a better solution:
/etc/passwd and /etc/shadow are especially likely to be modified, so I'd recommend sending those right away.
Anyone who wants to make sure their important config files haven't been changed by an intruder can email them to me, and I'll hold on to them for safe keeping.
The fancy way to do that is with an Authenticode-like system for signing files. Distro maintainers would sign the files in their distros, and users could also sign their own files. A simpler way would be to just have a big, signed list of md5's in some file that tripwire checks against. Tripwire would check the signature on the file before believing the md5's in it. Or the list could contain individual signatures per file instead of just hashes.
A centralized md5 database doesn't feel so right with the free software spirit, which says (legitimate) users could modify the files at any time, or just recompile them with a slightly different compiler, etc.
Debian has this built into the OS with debsums.
It does require a legit dpkg database (and md5sum, and the debsums program itself...) but it's a nice tool.
NIST (The National Institute of Standards and Technology) currently has a program to provide this service, though largely focused on Microsoft OSes and associated apps. It may be found here: National Software Reference Library
The complete list of software they've checksummed can be found here: Software Listing or you can use their search engine if you're looking for a specific application here: Search Engine
The reality of the matter is that, while it certainly would be possible for somebody to gag a machine to evade all your wascally checksumming tricks, they frequently don't do so. And when they do it, there's the usual arms-race lag between the time when a new method of checking comes out and when they update their tools to evade it. And there's a cost to them for each defense they evade; if you want to avoid every defense you ever hear of, you basically have to roll your own rootkits, which is a huge time investment.
And a kiddie who's out there collecting hundreds of boxes has no particular incentive to be anal about holding onto yours.
Fucking pompous amateurs.
For Red Hat-based systems, at least, rpm -V will do pretty much exactly what you're looking for.
... The (mnemonically emBoldened) character denotes failure of the corresponding --verify test:
/etc/php.ini
/etc/httpd/conf/httpd.conf /var/www/html/index.html /var/www/html/poweredby.png
:)
From the man page for rpm:
The general form of an rpm verify command is
rpm {-V|--verify} [select-options] [--nodeps] [--nofiles] [--nomd5] [--noscripts]
Verifying a package compares information about the installed files in the package with
information about the files taken from the package metadata stored in the rpm database. Among other things, verifying compares the size, MD5 sum, permissions, type, owner and group of each file. Any discrepencies are displayed.
S file Size differs
M Mode differs (includes permissions and file type)
5 MD5 sum differs
D Device major/minor number mis-match
L readLink(2) path mis-match
U User ownership differs
G Group ownership differs
T mTime differs
So while that's a bit cryptic, a shell script run once every x days (30? 14?) should tell you what files have changed. All you would have to do is run rpm -qa to grab a list of the packages in your system, and then loop through the list and run rpm -V for each RPM returned.
For instance, running rpm -V on two common packages, Apache and PHP, shows me the following:
# rpm -V php
S.5....T c
(php.ini has changed... which in this case means I've tweaked some of PHP's default settings.)
# rpm -V apache
S.5....T c
missing
missing
(Okay, I've changed httpd.conf, again pretty much a given, and I've removed a couple of the default files.)
I guess this website seems pretty unneeded to me. Granted, the above is just for RPM-based systems, but I'm sure Debian and ports have similar options. And to the people who have installed from source and say "What about me?", I say, first, never underestimate the power of a package management system, and second, check out CheckInstall, which allows you to create an RPM or DEB just by saying "checkinstall" instead of "make install". If you feel you must compile from source, checkinstall is a necessity! Using checkinstall gives you all the benefits of a package management system while still allowing for the flexibility that compiling from source provides.
Between checkinstall and up2date, I'm a very happy Red Hat customer. I just wish more people knew about some of the truly powerful things in package management systems (such as the verify command detailed above.) Package management systems are there for a reason. Use them!
Simpli - Your source for San Jose dedicated servers and colocation!
Ok, lets see if I've been hacked... /dev/null
/dev/null with /private/var/servermgrd/servermgr_dirserv.lock from Mac OS X. What a bummer and its a brand new system too...
$ md5
d41d8cd98f00b204e9800998ecf8427e
So I put d41d8cd98f00b204e9800998ecf8427e in the search engine and it came up with 560 hits (compared with 3170 from google).
Now it appears that someone replaced my
Does the database have a way to flag files as being bad? Sa
When I put in 3ac9bc346d736b4a51d676faa2a08a57
I should get back:
*** Trojaned openssh-3.4p1.tar.gz ****
One thing that could make this useful would be a dns like interface...
host 3ac9bc346d736b4a51d676faa2a08a57.knowngoods.org || echo bad
Sun already provides this for Solaris.
s .p l
http://sunsolve.Sun.COM/pub-cgi/fileFingerprint
It contains information for:
Operating Systems
Solaris SPARC - 2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.5.1, 2.6, Solaris 7 and Solaris 8
Solaris x86 - 2.1, 2.4, 2.5, 2.5.1, 2.6, Solaris 7 and Solaris 8
Solaris PPC - 2.5.1
Trusted Solaris SPARC - 2.5, 2.5.1 and 7
Trusted Solaris 7 x86
Most CDs bundled with Solaris 2.6 and later.
Patches
Nearly all released Solaris patches, including all SunSolve CDs to date. (4.0.11)
All Solaris 2.6/7 Maintenance updates.
All patches available from SunSolve.
Unbundled Products
Around 150 CDs with unbundled products are included. If you are missing any particular product, please feel free to send email and we will try to include it as soon as possible.
You could start by subscribing to the forensics mailing list over at securityfocus.com. The honeypots list is also of interest.
Both lists have a fairly good signal-to-noise ratio, and there is a lot of good info to be had.
If nothing else, it's certainly a good place to ask that exact question.
You can sign up here.
Never trust an atom. They make up everything.
Have to AC this one....
[ This is a story about why getting "good" checksums to start with is very important. ]
On a related topic: Ever examined a system you didn't think was broken into, and were sure?
The sysadmins at my old school did. And they were wrong.
You see, they connected a new box, the replacement main server, to the LAN, and used an easily-guessable password convention for staff accounts, PRIOR TO RUNNING TRIPWIRE on it. Seems "someone" got in and changed a few key binaries, THEN the admins ran Tripwire. Periodically, when the system got munged and a restore was required, they'd restore the original tapes, Tripwire would yell about a few binaries (including some innocuous distractors), and the admins would dutifully go to backups, find the modified binaries and restore them, figuring they had to be right, because of course, they matched the Tripwire signatures.
Ya gotta love self-repairing back doors when you're a student at the mercy of admins who work 9-5 M-F, NFS and lpd subsystems that croak only after 10pm or on weekends, and newbies who fill up file systems.
The local 3-person student root cabal used these back doors for several years, until the machine was replaced. AFAIK, the admins never knew. They had spent much of my undergrad time trying to find SOMETHING I'd done, to punish me for, so if they'd known about this...