Re: MD5 checksum changed
From: Tim Haynes (usenet-20040827_at_stirfried.vegetable.org.uk)
Date: Fri, 27 Aug 2004 17:38:02 +0100
email@example.com (Jonathan L Cunningham) writes:
>>> Replace the package withe the --force option.
>>No no no no NO!!!!
>>Destroying evidence like this is sheer lunacy. Investigate until you find
> In an ideal world, I could replace that machine with another, copy all
> the binaries off it, reinstall everything again from the original
> installation disks, copy all those off somewhere else, then do a diff on
> all the files.
> But what would that tell me that would justify my time? (That's a serious
> question: I'd *like* to know what the cause was, but if, say, I could
> just install the latest version of RedHat instead of using a (few months
> old) version of Mandrake, mere curiosity is not sufficient
It would tell you how secure the box was - a clean installation off new
trusted media (CDs) with audited data only, uptodate, firewalled, only
running what it needs, with IDS and nIDS and regular log-watching - this is
Something that's been running a while and you've lost the certainty of
integrity ain't the same. And, more to the point, if you go around
replacing bits of the machine willy-nilly without checking for or tackling
underlying (potential) problems, that certainty is *never* going to come
If you find the box to be clean, all to the good; if you find it's been
cracked, you might have a clue for things to look out for in the future
(firewalling, minimalism, whatever config-changes enhance the box's
security to avoid the class of problem that lead to a crack). Them's the
> Meanwhile, we still need to send and receive e-mail, and it would be
> nice if the web-site remained up.
Sure. The logistics are up to you - it may be time to gain certainty with a
clean installation and do it properly; it may be there's a simple
explanation (prelink or HD corruption), if you're lucky. Either way you
should resolve the changed binary, find *why* it happened or otherwise
guarantee that the machine is clean.
>>Here's two more ideas to consider: a) hardware cockup leading to
>>filesystem corruption manifesting itself as a screwup in that binary -
>>run a fsck on the partition in quesiton in single-user mode;
> Yes, that seems like a good idea: and it won't take so long I need to
> install a "spare" machine while I'm doing it.
Hope so :)
>>b) Are you running `prelink'? See
> Sorry, I followed this link and I couldn't make see what you are
> referring to.
Ah, it was an interesting thread on uk.comp.os.linux a while ago; Paul had
a box where tripwire started saying a binary had changed, transpired he was
running this prelink thing (<http://freshmeat.net/projects/prelink/>) which
> I see in your other reply in this thread that you mentioned iptables
> there, too. I'm not running iptables on this machine, but have been
> relying on the separate hardware firewall.
A simple iptables firewall is so easy to stick on a box, I'd say use one
network-wide thing *and* per-machine.
> I assume there is some additional benefit I would get? But you'd need to
> explain v-e-r-y s-l-o-w-l-y in words of one syllable what I'd need to do.
Firewalling a machine individually? My method:
* Ascertain how the existing firewall system works - whether it uses a raw
script or an iptables-save output. Look in /etc/init.d/ and trace it back
from there, what config files the appropriate service script references.
* Grab my firewall script -
<http://spodzone.org.uk/packages/secure/iptables.sh> - and edit it. There
are sections for handling return packets for things we've asked for, and
for services we provide, and then the rest is dropped. (If you want to run
ssh, leave that line in; if you run mail and web-servers, clone twice and
replace 22 with 25 and 80, etc.)
* Run it, check that it works - you should get different output in `iptables
-nL' that looks vaguely like the rules, packets to various ports should be
permitted or dropped, from various places. Test a few.
* If appropriate, maybe try
iptables-save > /var/lib/iptables/rules-save
(on Gentoo, at least). Either that or make your version of my script run on
startup by fair meansa or foul.
That's, erm, it. :)
> We're not big enough to hire a full-time security consultant, so I have
> to try and fit this stuff into all my other work. (Anyone who explains
> that therefore we deserve to go out of business will be politely
You do need to dedicate some time or resource to it - read-up on linux
security (<http://www.linuxsecurity.com/> being a possible start) and
firewalling (<http://www.netfilter.org/> also). If you don't have the time,
hire a temporary consultant.
Try to persuade your boss that if you don't invest the time now in a nice
solid lump (day or two, maybe a new machine) and get a regular routine
(apply package updates and read logfiles for the first 10mins of every
day), then the future upstream costs *when* a crack really happens and have
have to do damage assessment and limitation and repairs will take over a
week of your time, being caught with your knickers down with no spare
machine having to do a reinstallation while your web & mail servers are
offline as you sweat your guts up.
-- 16:58:06 up 10 days, 32 min, 4 users, load average: 0.05, 0.04, 0.06 firstname.lastname@example.org |The light of the world keeps shining, http://spodzone.org.uk/cesspit/ |Bright in the primal glow