chfn, date, chsh INFECTED according to chkrootkit
Giorgos Keramidas
keramida at linux.gr
Wed Aug 18 07:54:14 PDT 2004
On 2004-08-18 14:25, "Thordur Ivar B." <thib at mi.is> wrote:
> But still, you can only be sure if you trust you CVS checkout.
> I have found it rather annyoing not have'ing checksums of each and
> every file in /usr/src. And having a "secure" (man-in-the-middle
> attack, etc comes in mind) way of optaining the checksum file.( A good
> shell script could verify the checkout and you could sleep easy ;)
>
> Do correct me about the checksums if I'm wrong.
Would something like this work for you?
# mount /mnt/floppy
# mtree -c -K cksum,flags -p . | \
bzip2 -9c - > /mnt/floppy/src.dist.bz2
# umount /mnt/floppy
Then you can mount the floppy disk and check the /usr/src tree against
the checksums saved by mtree with:
# mount /mnt/floppy
# bunzip2 -cd /mnt/floppy/src.dist.bz2 | \
mtree -u -f -
# umount /mnt/floppy
Any differences of the files since your last CVSup should be easy to
catch with this little trick. I've just tested this on my -CURRENT
installation and the bzip2'd spec file generated by the first mtree
invocation is a little less than 600 KB for /usr/src. It fits nicely
in a single floppy disk :-)
More information about the freebsd-security
mailing list