checking checksums on binaries and checking for rootkits

Dan Nelson dnelson at
Tue Feb 10 12:04:57 PST 2004

In the last episode (Feb 10), Jerry McAllister said:
> > hello, im using FBSD 4.9 ... IS there a way to check the checksum
> > on binairies like "ls , ps" etc..  to check for rootkits ?
> > 
> > On Solaris you can run md5 on a binary and compare it against a
> > utility on SUNS website that will cehck the finger print to see
> > whether the binary is part of a rootkit or the original binary. 
> > Does Freebsd have a tool like this ?
> The checksums are available for the ISOs on the FreeBSd site in the
> same directory as the ISOs.
> As for individual routines, I don't know. 

mtree is great for this.  Run "mtree -k sha1digest,time,size -c -p /etc", 
save the output to a secure location, and run "mtree -p /etc < mtree.txt" 
later to verify timestamps and checksums.  Although it's mainly for
self-verification.  I suppose you could run it against the live cdrom.

	Dan Nelson
	dnelson at

More information about the freebsd-questions mailing list