checking checksums on binaries and checking for rootkits
Dan Nelson
dnelson at allantgroup.com
Tue Feb 10 12:04:57 PST 2004
In the last episode (Feb 10), Jerry McAllister said:
> > hello, im using FBSD 4.9 ... IS there a way to check the checksum
> > on binairies like "ls , ps" etc.. to check for rootkits ?
> >
> > On Solaris you can run md5 on a binary and compare it against a
> > utility on SUNS website that will cehck the finger print to see
> > whether the binary is part of a rootkit or the original binary.
> > Does Freebsd have a tool like this ?
>
> The checksums are available for the ISOs on the FreeBSd site in the
> same directory as the ISOs.
>
> As for individual routines, I don't know.
mtree is great for this. Run "mtree -k sha1digest,time,size -c -p /etc",
save the output to a secure location, and run "mtree -p /etc < mtree.txt"
later to verify timestamps and checksums. Although it's mainly for
self-verification. I suppose you could run it against the live cdrom.
--
Dan Nelson
dnelson at allantgroup.com
More information about the freebsd-questions
mailing list