Another potential home for this script is tiger, which also currently
has an MD5-only checker:
https://sources.debian.org/src/tiger/1:3.2.4%7Erc1-1/systems/Linux/2/deb_checkmd5sums/
It may be more probable that they simply infect a hidden file in your
home directory[...]
I would presume that you have booted from DVD when checking your
installation since it does not make sense to check from within an
infected system. That would be going to fail in almost 100% of the
cases.
This check was done from within the system (it was never intended to
be a perfect test - as you note, it can be evaded by infecting a
non-package-owned file), but my script can also do checking from a DVD
boot.
An infected system will also alter the md5sum utility so that it will
return the md5 of the pristine file instead of the altered one which is
actually on disk (I have already seen that). Concerning your program I
have seen that it uses /var/lib/dpkg/info/$2.md5sums. This is inherently
unsafe because an attacker can simply alter this file alongside with all
the other altered file. Anyone knows about this file and if I logged in
via ssh an did some manual cracking then I also replaced the md5-s in
that file with sed -i.
Nonetheless manual sha512-lists are generally more secure than tools
just checking files in the packages like debcheckroot because they also
record files that are not in the installation database as well as files
auto-generated/altered on installation by installation scripts. You can
create such an sha512-list after securely offline-installing and put it
on an sdcard which you take always with you. I like sdcards because they
have a read only switch and are very small and flat so that you can
easily take them with you. Read only switches are a security feature
because you can read the content without the fear that it may be
altered. Of course you can not easily install new packages then. That
requires you checking all the sha512s via a clean boot medium. After
that you can boot into the system, install new packages and update the
sha512s. I also take the boot media with me where the dvd images reside
on sdcards bootable via USB-sdcard adapter. The read-only switch makes
it as safe as a read only burnt dvd.
Concerning debcheckroot I had planned to make it support mounting
different install-dvds/bds. At the moment it only works with a singleton
install blue ray. Installing from blue ray or dvd is an additional
security measure you can take to spot malware. I would not have been
able to spot the rootkit I had talked about in my last mail in
Brasileia, Brazil (Cobija, Bolivia) if I had decided to install online
updates because then fetching the updated packages for the tool
(debcheckroot supports this) would have been much more complicated.
Downloads can and often are impersonated if you do not use tor so that
you will be shipped the malwared-packages for comparence instead of the
original ones. So always use tor with debcheckroot if you do not have
all the packages available offline. To come back to the rootkit spotted
in South America I had the fortune to spot it only because I could
compare all files 1:1 which was only possible because I did not need
online repositories to install the clean image of the distro.
Here is again the reference for debcheckroot:
https://www.elstel.org/debcheckroot/|
|
