Comparing file trees to check for compromised system.

From: Thomas Frayne (tomf_at_sjpc.org)
Date: 09/11/03

Next message: erik: "Re: Comparing file trees to check for compromised system."

Previous message: Thomas Frayne: "Re: Recovering from compromised system"
Next in thread: erik: "Re: Comparing file trees to check for compromised system."
Reply: erik: "Re: Comparing file trees to check for compromised system."
Reply: James T. Dennis: "Re: Comparing file trees to check for compromised system."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 10 Sep 2003 15:14:35 -0700

I suspected that my RH9 system was compromised, and discussed the issues
with Bit Twister and /dev/rob0, who were both very helpful.

I ended up using Bit Twister's ideas to write a script to compare two
file trees. The comments indicate how it is invoked and the format of
it's output. I plan to write another script to invoke /root/cmp_tree.sh
for each top level subdirectory of / that I need to compare. Then in the
Auditor system, I'll mount the entire file tree of the suspect system,
and run the script. Finally, I'll do the manual work to resolve the
discrepancies. Here is the script.

------------------------------------------------------------------------
#!/bin/bash
#
# /root/cmp_tree.sh tree1 tree2
#
# Example:
# /root/cmp_tree.sh /etc /a/sdb2/etc &> /root/cmp_tree_list.txt
#
# compare all the files and directories in tree1 to those in tree2
# Redirect the results to /root/cmp_tree_list.txt:
# Missing directories
# Missing files
# Empty files
# Common non-empty files that do not compare
#
# After tree1/tree2 compare, tree2/tree1 is done for missing files
# and directories

# Sample output:
# $tree1: /etc length: 4
# $tree2: /a/sdb2/etc length: 11
# /etc/adjtime /a/sdb2/etc/adjtime differ: byte 1, line 1
# Compare failed for /etc/adjtime /a/sdb2/etc/adjtime
# /etc/aliases.db /a/sdb2/etc/aliases.db differ: byte 53, line 1
# Compare failed for /etc/aliases.db /a/sdb2/etc/aliases.db
# cmp: EOF on /etc/exports
# Compare failed for /etc/exports /a/sdb2/etc/exports
# /etc/fstab /a/sdb2/etc/fstab differ: byte 8, line 1
# Compare failed for /etc/fstab /a/sdb2/etc/fstab
# For file /etc/vfontcap /a/sdb2/etc/vfontcap does not exist.
# For file /a/sdb2/etc/edge.exclude /etc/edge.exclude does not exist.
# For file /a/sdb2/etc/edge.failed /etc/edge.failed does not exist.
# For /a/sdb2/etc/gimp /etc/gimp directory does not exist.

tree1=$1
tree2=$2
outdir=$3

echo "\$tree1:" $tree1 "length:" ${#tree1}
echo "\$tree2:" $tree2 "length:" ${#tree2}

dirlist="$(ls -daR $tree1)/*"

for dir1 in $dirlist; do
  if [ -d $dir1 ]
  then
    x=xx
# echo "directory:" $dir1
    dir2=$tree2${dir1:${#tree1}}
    if [ -d $dir2 ]
    then
      x=xx
    else
      if [ -f $dir2 ]
      then
        echo "For $dir1" $dir2 "is not a directory."
      else
        echo "For $dir1" $dir2 "directory does not exist."
        x=x
      fi
    fi
  else
    x=x
    file1=$dir1
# |
    if [ -f $file1 ]
    then
# | |
      x=xx
# echo $file1 "exists."
# file2="Replace $tree1 by $tree2 in $file1"
      file2=$tree2${file1:${#tree1}}
# echo "\$file2:" $file2
      if [ -f $file2 ]
      then
# | | |
        x=x
# echo $file2 "exists."
        cmp $file1 $file2
        if [ $? -ne 0 ]
        then
          echo "Compare failed for" $file1 $file2
        else
          x=x
# echo "success for" $file1 $file2
        fi
# | | |
      else
        echo "For file" $file1 $file2 "does not exist."
      fi
# | |
    fi
  fi
done

dirlist="$(ls -daR $tree2)/*"

for dir1 in $dirlist; do
  if [ -d $dir1 ]
  then
    x=xx
# echo "directory:" $dir1
    dir2=$tree1${dir1:${#tree2}}
    if [ -d $dir2 ]
    then
      x=xx
    else
      if [ -f $dir2 ]
      then
        echo "For $dir1" $dir2 "is not a directory."
      else
        echo "For $dir1" $dir2 " directory does not exist."
      fi
    fi
  else
    file1=$dir1
# |
    if [ -f $file1 ]
    then
# | |
      x=xx
# echo $file1 "exists."
# file2="Replace $tree1 by $tree2 in $file1"
      file2=$tree1${file1:${#tree2}}
# echo "\$file2:" $file2
      if [ -f $file2 ]
      then
        x=x
      else
        echo "For file" $file1 $file2 "does not exist."
      fi
# | |
    fi
  fi
done
--------------------------------------------------------------

Next message: erik: "Re: Comparing file trees to check for compromised system."

Previous message: Thomas Frayne: "Re: Recovering from compromised system"
Next in thread: erik: "Re: Comparing file trees to check for compromised system."
Reply: erik: "Re: Comparing file trees to check for compromised system."
Reply: James T. Dennis: "Re: Comparing file trees to check for compromised system."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Want script to compare files in two directories
... new output and then afterwards I do a compare to see what values have ... I have a script to do this which may be of some use. ... shift $) ... echo; echo; echo ...
(comp.unix.shell)
Re: Insert a line in a textfile from a script
... >> says, ed is outdated, slow for big files, and there are platforms ... compare the number of posts in this newsgroup useing ed, ... to generated an ed script. ...
(comp.unix.shell)
Re: retrieving and comparing the timestamp of the file with current date ..
... Yep I tried this script and test coded, I did not get any error. ... echo $FILEDATE ... Now I am going to take the output of $FILEDATE and compare it with ...
(comp.unix.questions)
Re: [Full-disclosure] reduction of brute force login attempts via SSHthrough iptables --
... Anyhow its no problem at all to modify, so if you dont like it, just dont use it. ... on a lame script like this as long as it WORKS and is not insecure. ... echo "~ sorting out ip by ip" ... # echo "not enough failed logins, probably no attack from: ...
(Full-Disclosure)
Ripping Tapes with Linux--How To
... the full script is located in the BASH ... My tape player is a portable style journalist's recorder from the ... The most irritating part of the recording process was setting the ... echo Starting de-noise procedure to file $TMP1 ...
(comp.os.linux.misc)