Ethan Benson wrote:
> On Wed, Mar 28, 2001 at 06:42:37PM -0800, William R. Ward wrote:
>
>> One way to test if you have been hacked is to run an MD5 checksum of
>> key binaries and look to see if it's been replaced by the intruder.
>> Is there any place where the MD5 sums of individual executable files
>> (not the .deb files, but the /usr/bin/xxxx files that come from them)
>> can be obtained?
>
>
> some/most(?) debian packages come with md5sum lists, they are in
> /var/lib/dpkg/info/packagname.md5sums. the package debsums can verify
> them. HOWEVER, since these md5sum lists are on the same disk as the
> binaries they cannot be trusted for security purposes, since it would
> be quite easy for an attacker to replace the md5sum lists with ones
> that match the trojaned binaries.
>
> however if you have another debian box you are certain is not
> compromised you can use its md5sums. but you must boot off a known
> clean boot disk and NOT root to the compromised disk, there could be
> kernel modules installed which will hide things.
Couldn't make tripwire that job some easier ?
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
