Re: chfn, date, chsh INFECTED according to chkrootkit

From: Giorgos Keramidas (keramida_at_linux.gr)
Date: 08/18/04

  • Next message: Tommy K: "Re: chfn, date, chsh INFECTED according to chkrootkit"
    Date: Wed, 18 Aug 2004 17:54:00 +0300
    To: "Thordur Ivar B." <thib@mi.is>
    
    

    On 2004-08-18 14:25, "Thordur Ivar B." <thib@mi.is> wrote:
    > But still, you can only be sure if you trust you CVS checkout.
    > I have found it rather annyoing not have'ing checksums of each and
    > every file in /usr/src. And having a "secure" (man-in-the-middle
    > attack, etc comes in mind) way of optaining the checksum file.( A good
    > shell script could verify the checkout and you could sleep easy ;)
    >
    > Do correct me about the checksums if I'm wrong.

    Would something like this work for you?

            # mount /mnt/floppy
            # mtree -c -K cksum,flags -p . | \
              bzip2 -9c - > /mnt/floppy/src.dist.bz2
            # umount /mnt/floppy

    Then you can mount the floppy disk and check the /usr/src tree against
    the checksums saved by mtree with:

            # mount /mnt/floppy
            # bunzip2 -cd /mnt/floppy/src.dist.bz2 | \
              mtree -u -f -
            # umount /mnt/floppy

    Any differences of the files since your last CVSup should be easy to
    catch with this little trick. I've just tested this on my -CURRENT
    installation and the bzip2'd spec file generated by the first mtree
    invocation is a little less than 600 KB for /usr/src. It fits nicely
    in a single floppy disk :-)

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Tommy K: "Re: chfn, date, chsh INFECTED according to chkrootkit"