Verifying the Integrity of Your Files
Comedian Steven Wright expresses an interesting dilemma. Someone broke into his house, he says, stole everything and replaced all those things with an identical copy. In the world of the system cracker, this isn't such a crazy idea.
Here's what happens. Using some well-known hole or exploit, a cracker finds his or her way onto your system. Yet, when you do a ps, there is no evidence. When you do an ls, there is no evidence. You think your password file looks normal but you can't be sure. What to do?
One of the first things your cracker will do is replace certain files on your system. You will wind up with a new version of netstat so that a netstat -a does not show any evidence of your cracker's presence. The cracker will also replace any file that might give him or her away.
Some of those files are as follows.
Since the files have been replaced, simply doing an ls will only confirm that the files are there. There are a number of ways that you can detect modified files on your system. If you are running Red Hat, Caldera, TurboLinux, or any of the releases that use the Red Hat Package Manager (a.k.a. RPM) concept, I'm going to show you a cool way to do this.
The first thing you need to do is find out what package these files came from. Using the rpm command, you can identify the location of a file (say, netstat) with this version of the command:
# rpm -qf /bin/netstat
The system comes back with this reply:
Now I can scan this entire package to find out what has been changed with this version of the rpm command.
rpm -V net-tools (You can leave off the version info)
Now, on my test system, I've modified my /bin/netstat binary (I replaced the 6.0 version with 5.2, in this case). The result of the above command should be nothinga return to the shell prompt (the hash mark). Instead, I get this:
The /bin/netstat file shows up as having been modified. If I check using rpm (rpm -qf /bin/ps) for the location of ps and /usr/bin/top, I find that they belong to the procps package. I will then run an rpm verify on procps. Here's a sample output from a hacked system:
# rpm -qf /bin/ps procps.2.0.2-2 # rpm -V procps SM5..UGT /bin/ps SM5..UGT /usr/bin/top
Our cracker has gone in and replaced our version of ps and top so that we cannot see the processes he is running, maybe a sniffer or an IRC "bots." The sniffer, by the way, is a program that essentially watches all your users' comings and goings and traps their passwords so that the cracker can use valid user logins to do their work, further hiding his tracks.
I'll give you a quick script now to run through your entire rpm database and check all your packages for tampering. Before I do that, I want to give you a warning. Not all files flagged by this report are hacked. For instance, the password file on your system is not the same as it was when it was first installed. After all, you added at least one user and changed at least one password. Any file that is different from the original install will show up as modified. Binaries, or compiled programs like netstat, should never show up in this list. Here's the little script:
#!/bin/bash # # Run through rpm database and report inconsistencies # for rpmlist in ´rpm -qa´ # These quotes are back quotes do echo " ----- $rpmlist -----" ; rpm -V $rpmlist done > /tmp/rpmverify.out
When you run this script, the output is redirected to the temporary file /tmp/rpmverify.out. You can use more or less to view the contents of the file.
Since I mentioned that configuration and text files (/etc/passwd, /etc/inetd.conf, and so on) will very likely show up as changed when you run this script, how do you know if these are your changes and not those of your cracker? If your system is pristine, or in a state you can be sure ofsuch as immediately after an install or an upgradeyou can take "fingerprints" of your files, print out the information, and refer to it if you suspect something has changed.
A way to do this is with md5sumthose without rpm (Debian, Slackware, and so on) can use this method to fingerprint their binaries as well. Here's the way to do it. I'll use a few files, including some binaries.
# md5sum /etc/passwd d8439475fac2ea638cbad4fd6ca4bc22 /etc/passwd # md5sum /bin/ps 6d16efee5baecce7a6db7d1e1a088813 /bin/ps # md5sum /bin/netsat b7dda3abd9a1429b23fd8687ad3dd551 /bin/netstat
Please note: These are the numbers from my system. You don't want to write these down. The information will vary based on release and what you have in your text and configuration files. Other than the ones mentioned, you might want to check the following. Remember, print the results out and check them from time to time to help you determine if the wily cracker has entered your domain. Here are those files:
This should give you a good starting point. Crackers will not change every file on your system, and monitoring a few specific files is enough to give you a good idea as to whether or not something has been changed without your knowledge.