Hi, On Tue, 17 Sep 2002, Claudio Martins wrote:
> You can check the date and size of some files like /bin/ps /bin/netstat to > see if they have timestamps consistent with the other files on the same > directories and check that their size is not too small or too big. A normal > ps should have around 60kB and netstat around 86kB. If you see big > differences, suspect that your machine has been compromised and some kind of > rootkit may have been installed. Doing this is not the best way. The changes by the rootkit could change the shared libraries that these files use instead, or replace the programs with some of identical size and date that simply link to the trojaned versions (eg. /somewhere/.realps etc.) Instead I recommend something like the following: I used Red Hat several years ago and their package system RPM has a handy option that lets you scan all installed files to see if they have been modified from the original installation. There is a similar tool for Debian, it is called debsums and is unfortunately not installed by default (it could be problematic to have to install it after a compromise has been identified, since you might want to isolate the machine from the network during the investigation). So I suggest you install this right away. Anyway, to use it simply run "debsums" and pipe the output somewhere useful. It will check the MD5 sums of each file installed by the Debian package management system and report OK or FAILED for each. If you have any FAILED, they are either configuration files that you (or a program) have edited locally, or have been tampered with by an attacker (or filesystem error, etc). If you suspect a certain package has changed and do not want to change the entire system you can specify just that package, eg. "debsums ssh" or "debsums fileutils". A good idea would be to run debsums nightly in a cron job, emailing you a diff of the changes since last night (preferably to an account on an unrelated host). If you want to check a specific file and do not know which package it is owned by, do a "dpkg -S filename", for example to check if netstat has been tampered with: $ dpkg -S /bin/netstat net-tools: /bin/netstat $ debsums net-tools Hope this was useful. Remember that auditing the integrity of the system files is only a small part of securing your system, but it is an important one. Regards, Thomas Horsten [EMAIL PROTECTED]
