Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Known-Good MD5 Database

timothy posted more than 11 years ago | from the damn-good-idea dept.

Security 309

bgp4 writes "Have you ever examined a system you thought was broken into but you weren't sure? If only you had run an integrity verification program like osiris or Tripwire first you could have figured out what programs had been changed. In an effort to help out in the instances when you can't answer the question "what was this like before?" we've constructed a searchable database of MD5 and SHA-1 hashes for files in many standard operating systems. You can search using the filename or the checksum and see if you have a trojaned binary or an overactive imagination. Currently at knowngoods.org we have many FreeBSD, OS X, Linux, and Solaris installations checksummed and cataloged. If you have other programs or distributions you would like to see in the database, please let us know."

Sorry! There are no comments related to the filter you selected.

Yes, in fact, I have! (4, Funny)

Anonymous Coward | more than 11 years ago | (#4841830)

Have you ever examined a system you thought was broken into but you weren't sure?
Just about every time I've broken into a system! :)

mod parent up (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4841850)

+1 funny

What about source builds? (5, Insightful)

Anonymous Coward | more than 11 years ago | (#4841832)

Wouldn't this be useless to anybody that builds from source?

Re:What about source builds? (0)

Anonymous Coward | more than 11 years ago | (#4841840)

Shouldn't that nick read "Anonymous Obvious Guy"?

Re:What about source builds? (2)

bytesmythe (58644) | more than 11 years ago | (#4841852)

If the distributor of your source was compromised to give out a file containing a trojan or other nasty surprise, then no, it isn't useless.

Re:What about source builds? (5, Insightful)

Cerlyn (202990) | more than 11 years ago | (#4841905)

Indeed; the capability of such a system is a bit limited with operating systems like FreeBSD, which actively *encourage* their users to build/rebuild from sources. IIRC, FreeBSD actually only gives intermediate security updates in source code format so you have to compile them (not too hard: cd /usr/src ; make buildworld).

So, recording the checksum to /bin/ls, etc. is a bit flawed in that when I do a "make buildworld", my custom configuration parameters from /etc/make.conf get used, overriding CPU type, if Xfree86 is installed, etc. Since my system's parameters likely will not match FreeBSD's master build system, there is a high chance that the checksums after I do a rebuild are significantly different.

But for non-source distributions (Redhat, etc.) this concept is excellent, assuming that no one compromises the database or the OS kernel. Unfortunately, no database checksummer will ever counteract the case when the OS kernel itself is compromised, potentially returning one file when scanned and another when executed.

Still, it wouldn't hurt for them to record source file checksums as well; after all, having an independant checksumming group would require them to be compromised as well as the FTP network, making an attacker's life harder.

Re:What about source builds? (4, Insightful)

pVoid (607584) | more than 11 years ago | (#4841981)

Indeed.

In fact, this system would be best suited for systems which aren't OSS... such as windows =)

crowd boos... stones and rotten tomatoes fly as author runs for cover

:)

Re:What about source builds? (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4841996)

umm.. why the FUCK would anyone spend time recompiling /bin/ls? rebuilding the kernel and binaries that have security updates, I can understand, but just because you CAN make buildworld doesn't mean you should. Talk about a waste of time and energy.

Re:What about source builds? (1, Informative)

Anonymous Coward | more than 11 years ago | (#4842039)

You're wrong. If you compile from source you can be sure of what you're getting. You do realize, don't you, that replacing utilities like ls would is a key part of any rootkit?

Furthermore, (1, Funny)

Anonymous Coward | more than 11 years ago | (#4841924)

I need a daemon that will monitor the binaries and check their md5 with this database to keep me secure!

FECES! (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4841834)

I propose a similar database for feces, so that we might identify whether or not the feces we are having for dinner on a particular night is REALLY the feces we put in the fridge that morning. I hate having my fecal security compromised before dinner. It ruins my night.

Re:FECES! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4841856)

I fucking hate moderators who can't sense the importance of a particular comment. So many gems such as this one get swept under the carpet with all the trash. Come on, mods... this is +1, insightful all the fucking way!

Eat my shit and then shit that out and then have your friend eat that and then have him shit that out and eat that and then shit that out and have him eat that and then have him shit that out and eat his shit and do it again and again and again, ad nauseum!

In Soviet Russia... (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4841836)

database checksums YOU!!

What?! No Windows? (2, Insightful)

Anonymous Coward | more than 11 years ago | (#4841837)

We need file verification, too! Probably more so with some of the Windows/IE vulnerabilities.

Re:What?! No Windows? (1, Funny)

Anonymous Coward | more than 11 years ago | (#4841933)

Wow! You're right. I mean, how will you know the Klez virus you have is the right one?

Re:What?! No Windows? (2)

carpe_noctem (457178) | more than 11 years ago | (#4842040)

Windows doesn't really have a good system of labeling releases, and I'm sure that the people running this website don't wanna do this for every service pack available for most microsoft products.

IN SOVIET RUSSIA (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4841839)

The system breaks into YOU!

But what happens... (1, Insightful)

Anonymous Coward | more than 11 years ago | (#4841842)

... when they trojan your MD5 checksummer? ;)

So what about the obvious scenario... (2, Insightful)

Samir Gupta (623651) | more than 11 years ago | (#4841843)

What if someone hacked into the MD5 database and changed the entries? :-)

Re:So what about the obvious scenario... (2)

cscx (541332) | more than 11 years ago | (#4841878)

It wouldn't mean jack shit, except for keeping the admin on his toes.

Re:So what about the obvious scenario... (2, Interesting)

neurostar (578917) | more than 11 years ago | (#4841880)

What if someone hacked into the MD5 database and changed the entries?

This is definately a legitimate concern. I would be wary about this.

There is one possibility however. Even if the entries are changed maliciously, the MD5 sums might possibly be different from the rootkit that is installed. IIRC rootkits are compiled on the host machine, and this might change the MD5 sums for the rootkit. Also, there are different sources of rootkits, so that would also affect the MD5 sums and the feasibility of changing the entries.

neurostar

Re:So what about the obvious scenario... (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4841902)

This is
definately a legitimate concern. I would be wary about this.
Yuo spel liek a retard.

Re:So what about the obvious scenario... (4, Insightful)

BitHive (578094) | more than 11 years ago | (#4841885)

Then I imagine that as soon as someone changes a hash, many secure systems will indicate they've been comprimised, and the whole thing will be quite obvious to sort out.

Solution (0)

Anonymous Coward | more than 11 years ago | (#4841978)

They should keep a database of md5 hashes of the database entries.

This is one of those things... (3, Insightful)

carl67lp (465321) | more than 11 years ago | (#4841844)

This is the type of thing that you'd ask "Why didn't they do this sooner?" -- it's just that logical of an idea.

Absolutely fabulous, wonderful! The real trick, though, is to build up trust in your database so that those searching it will be sure that the checksums are actually correct--you know, rather than buying a burglar alarm from the robber himself. Thus, I doubt you'd be able to take submissions from users right away--at least without a competent staff checking to make sure they're correct.

IN SOVIET RUSSIA (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4841845)

The source builds YOU. I love America!

Cool? (2, Interesting)

kir (583) | more than 11 years ago | (#4841849)

You know, this is sort of cool... until it gets hacked (cracked... whatever) and then your entire OS looks bad. Wait. That is COOL!

IN SOVIET RUSSIA (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4841851)

we like to troll!

greetz to all you $2 sand niggahs out there!

Gore, Lieberman fault on Bush's economy (-1, Offtopic)

Billly Gates (198444) | more than 11 years ago | (#4841853)

WASHINGTON (AP) - Democrats Al Gore (news - web sites) and Joe Lieberman (news - web sites), critical of the White House's economic policy, expressed support Sunday for tax cuts aimed at the middle class and a stimulus package to revive the economy.

Gore and Lieberman, possible presidential contenders in 2004, said the shake-up in the Bush administration's economic team last week would mean little without changes in economic policy.

Failing to offer new initiatives would make President Bush (news - web sites)'s replacements for Treasury Secretary Paul O'Neill and White House economic adviser Lawrence Lindsey "fall guys for failed policies," Gore said.

Bush will announce successors to Lindsey and O'Neill as early as Monday, a senior administration official said. The president returned to the White House from Camp David Sunday with another key economic adviser -- Commerce Secretary Don Evans.

Gore, the Democratic presidential nominee in 2000, said on ABC's "This Week" that he would focus on more tax cuts for middle-income families and balance an economic stimulus package with the need to restore long-term confidence in the economy.

He said he would propose a detailed economic plan after the first of the year that would combine a middle-income tax cut with a freeze on the income tax rates paid by the wealthiest Americans.

The $1.3 trillion, 10-year tax cut enacted last year includes a gradual lowering of income tax rates. Democrats say it most benefits the wealthy and has contributed to the return of federal budget deficits.

Lieberman, Gore's running mate two years ago, said his plan for reviving the economy included putting more money into the hands of middle-class families, giving businesses incentives to start investing again, and providing funds for public works, particularly to states for homeland security.

"Our economy is in trouble," Lieberman, D-Conn., said on "Fox News Sunday." He said that more than 1 million people have fallen into poverty and business investment during the administration has been at a 50-year low. "The economy needs something different from what President Bush has given it."

President Bush is expected to present Congress with his own stimulus package next month.

Among possible elements are accelerated income tax rate reductions, eliminating the taxation of investors' stock dividends and payroll tax exemptions, an idea endorsed by another Democratic presidential hopeful, Sen. John Kerry (news, bio, voting record), D-Mass.

Lieberman repeated that he would probably run for president, but only if Gore decides against another White House bid.

Gore, meantime, also discussed his preference for "single-payer" national health coverage, which would require a massive change in the insurance system. Money to pay for health care -- such as insurance premiums and tax dollars -- would be collected by a single agency, which would then pay for comprehensive coverage for all citizens.

Gore, pressed to say what such a plan would mean higher taxes, said he did not think "new revenues necessarily are required."

In fact, he suggested "it may mean fewer taxes. ... I think it would mean less expense overall because of all the money that's wasted now."

"With the same revenue that we have now, we can do a much better job if we don't waste one out of every three dollars" on paperwork. More details of his idea will come early in 2003, Gore said.

Republicans quickly pounced on Gore's comments about taxes.

"With the 2004 Democratic presidential primary under way, Al Gore reminded voters today of two very important things," said Jack Oliver, deputy chairman of the Republican National Committee (news - web sites). "First, Democrats won't rule out raising taxes to spend more of people's hard-earned money and second that he is willing to say or do anything to get elected."

Gore Should Not Run Again Party Insiders Say-Poll (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4841904)

LOS ANGELES (Reuters) - A poll of members of the Democratic Party's governing body showed on Sunday that nearly half think Al Gore (news - web sites) should forgo another run for the U.S. presidency in 2004.

The Los Angeles Times poll of members of the Democratic National Committee (news - web sites) showed significant support for a run by Sen. John Kerry of Massachusetts as well as a dark-horse bids by Vermont Gov. Howard Dean and Sen. John Edwards of North Carolina.

Only 35 percent of the committee members believed Gore, the former vice president and Democratic presidential candidate in 2000, should attempt a third White House run compared to 48 percent who said he should not. A significant 17 percent, however, remained undecided.

A new Time/CNN poll also released on Sunday showed 61 percent of Democrats would like to see Gore run in 2004.

Almost half of all those interviewed in the Time/CNN poll, 45 percent, thought it was likely Gore would win the nomination and become president. But 49 percent said they didn't think any Democrat could beat President Bush (news - web sites).

Those interviewed in the Time/CNN poll were statistically split over whether they would like to see Gore run in 2004, 45 percent in favor and 48 percent against, with a 3.1 percent margin of error.

The Los Angeles Times poll of Democratic officials found the party, reeling from its losses of the White House and the U.S. Senate in two election cycles, appeared ready to consider less shopworn candidates.

When the Democrats were asked to list their No. 1 choice for a presidential candidate, 19 percent favored Gore, 18 percent backed Kerry, 13 percent selected Edwards and 10 percent named Rep. Richard Gephardt of Missouri, who stepped down as the party's leader in the U.S. House of Representatives after losses in the midterm election.

Although 96 percent of the committee members -- some 450 state and local Democratic Party leaders -- remained loyal to former President Bill Clinton, most thought he should limit his campaign appearances for other candidates in 2004.

The Democratic National Committee, the governing body of the national party, does not select the party's candidate, but can have a strong influence over who runs and gets party backing.

The newspaper contacted 312 of 388 DNC members by telephone Nov. 7-8. The margin of error was 2 percentage points.

Stars honored at Kennedy Gala Center (0, Offtopic)

Billly Gates (198444) | more than 11 years ago | (#4841997)

WASHINGTON (AP) -- Academy Award-winning actress Elizabeth Taylor and Grammy-honored singer Paul Simon were among five stars from the world of performing arts being honored Sunday for their career achievements.

Joining them at a White House reception before a gala at the nearby Kennedy Center for the Performing Arts were actor James Earl Jones, actress-singer-dancer Chita Rivera and conductor James Levine.

President Bush and first lady Laura Bush planned to attend the 25th annual program where the careers of this year's honorees are celebrated.

The Kennedy Center's chairman, James A. Johnson, called Taylor "a luminous film actress who for nearly 60 years has been a Hollywood icon treasured by millions throughout the world."

Taylor, 72, became a child star with "National Velvet" in 1944 and later won Oscars for "Butterfield 8" in 1960 and "Who's Afraid of Virginia Woolf" in 1966.

More recently, she has helped raise millions of dollars to fight AIDS.

Simon, 51, was added to the lineup in August when, a few weeks after the official announcement, former Beatle Paul McCartney withdrew because of a personal obligation.

The Kennedy Center said McCartney would be on the 2003 list and that Simon would have been honored in the future.

Simon first became known as part of a duo with Art Garfunkel. "Sound of Silence" and "Bridge Over Troubled Water" were among their most popular numbers.

The songwriter helped shape several generations of young Americans, Johnson said. "More recently, his work has encompassed an awareness of and concern for international art and artists," he said.

The other honorees are:

Levine, 49, longtime musical director of the Metropolitan Opera and now leader of the Boston Symphony Orchestra, was credited with bringing "one of the world's foremost opera companies to unsurpassed artistic excellence."

Rivera, 69, "a musical theater star of the highest magnitude." She is a two-time Tony Award winner.

Jones, 71, "an actor whose extraordinary range and power have made him an American institution." The voice of the evil Darth Vader in "Star Wars," his long and varied career has produced two Tonys and four Emmys.

The first Kennedy Center honors in 1978 named singer Marian Anderson, actor and dancer Fred Astaire, choreographer George Balanchine, composer Richard Rodgers and pianist Arthur Rubinstein.

The program airs December 27 on CBS.

Texan Killed Friend Who Drank Last Cold Beer (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4842031)

BANDERA, Texas (Reuters) - A jury on Thursday handed a life prison sentence to a Texas man who shot and killed a longtime friend he accused of drinking the last beer in his refrigerator.

Jurors deliberated for less than two hours before passing the sentence on Steven Brasher, 42, for the murder of Willie Lawson, 39, on Nov. 5 last year.

"There was only two beers left, so I took one, and I told Willie not to take my last beer," Brasher said in a taped statement that was played during the trial.

Testimony showed Brasher shot Lawson in the head with a pistol after the two began arguing over the missing beer. Brasher maintained the shooting was an accident.

Useful, but.... (0)

Anonymous Coward | more than 11 years ago | (#4841854)

Sounds like a useful idea, kind of like Sun's signed patches. Keeping up might be a challenge.

You might want to include source tarballs of important software, otherwise it won't be of much help to those of us who roll our own.

You know... this brings up a question.... (1)

tvadakia (314991) | more than 11 years ago | (#4841857)

Would anyone know what field os study, what references, classes, or otherwise would be usefull in getting into Computer Forensics? Or, to specify, forensics of either computer crime, or finding proof to a crime within a computer. It's of great interest to me as it may be a direction I may be heading into.

Re:You know... this brings up a question.... (0)

Anonymous Coward | more than 11 years ago | (#4841892)

The web site is an apache test page.

A visiting speaker gave a seminar like that at Victoria University of Wellington, but I missed it.

Re:You know... this brings up a question.... (1)

base3 (539820) | more than 11 years ago | (#4841957)

From what little reading/talking to people I've done, it really helps to be a cop first.

Good thinking 99 (0)

spress (584556) | more than 11 years ago | (#4841858)

Put the cheksums for trojaned programs in the database, then crack the popular download sites. Who would know?

Re:Good thinking 99 (1)

russx2 (572301) | more than 11 years ago | (#4841938)

Now that is definitely one of those easier said than done scenarios... While not a failsafe method, this seems a pretty good idea. Those with precompiled binaries would find it the most useful tho I guess.

ooooo nifty (5, Insightful)

netwiz (33291) | more than 11 years ago | (#4841859)

I've been wondering when something along these lines would be available.

[devil's advocate] However, how do we know that the pregenerated checksums are correct? Who watches the watchers? [/devil's advocate]

Yah, yah, I know, the easiest way is to inspect the source for the minicompiler, the main compiler, and the program by hand, then build all of them step-by-step until you're done, then use the final binary to generate your hash. I wonder, tho, how much drift might there be in using a pre-built compiler (say I D/Led the binaries for GCC and the libraries to go with it). One tiny change in machine state (or any other number of things I would suppose) could result in the final binary being a single byte off, and the whole thing's a wash.

Granted, I may be talking out of my ass here, could someone w/ some hard-core coding knowledge or CS experience expound on the above?

Re:ooooo nifty (1)

MrWa (144753) | more than 11 years ago | (#4842057)

[devil's advocate] However, how do we know that the pregenerated checksums are correct? Who watches the watchers? [/devil's advocate]

And haven't past trojaned programs come with MD5 checksums that matched? (thinking back the OpenSSH here...)

Re:ooooo nifty (2)

Mnemia (218659) | more than 11 years ago | (#4842074)

Yes, but only because this whole system is pretty weak cryptographically. What should be done is that the binary should be signed with a private key only available to the legitimate developers. This notion of having md5sums to verify integrity is useless if the hash value and the actual binary are stored on the same server, where both can be compromised at the same time.

Checksum (1, Informative)

Anonymous Coward | more than 11 years ago | (#4841865)

checksum [reference.com] :
<storage, communications> A computed value which depends on the contents of a block of data and which is transmitted or stored along with the data in order to detect corruption of the data. The receiving system recomputes the checksum based upon the received data and compares this value with the one sent with the data. If the two values are the same, the receiver has some confidence that the data was received correctly.

The checksum may be 8 bits (modulo 256 sum), 16, 32, or some other size. It is computed by summing the bytes or words of the data block ignoring overflow. The checksum may be negated so that the total of the data words plus the checksum is zero.

Internet packets use a 32-bit checksum.

Re:Checksum (1)

netwiz (33291) | more than 11 years ago | (#4841947)

oh whatever, it's late, and I'm on only a few hours sleep. cut me some slack :) I got it right later on...

could someone who doesn't want to punk me out give some insight to my earlier question?

One other thing... (1)

carl67lp (465321) | more than 11 years ago | (#4841868)

Oddly, a search of both FreeBSD 4.7-Stable and Red Hat 8.0 for "apache" or "openssh" yielded no results.

Either I don't know how to search, or instructions need to be posted on how to search! That, or ... what about a list of all checksums for a complete distro?

Re:One other thing... (1)

kjd (41294) | more than 11 years ago | (#4842029)

It is searching for names of binaries, as opposed to names of the projects that created them. Try "httpd" and "sshd".

Also, Apache is not part of FreeBSD's base system.

Re:One other thing... (2)

MavEtJu (241979) | more than 11 years ago | (#4842080)

FreeBSD doesn't ship with Apache installed. /usr/bin/ssh shows up as 69de0f3690516ffe8e7a3661f2e01b0c and 89704 bytes, but on my machine (4.7 installed last saturday) it's bf470c491274e8739111d5723b90d88f and 85832 bytes. Oh dear...

What about Windows OS? (5, Insightful)

scubacuda (411898) | more than 11 years ago | (#4841871)

I didn't see the ability to search for Windows MD5 hashes.

Considering its history of vulnerabilities, I'd think that this would be pretty important...

Re:What about Windows OS? (1)

boopus (100890) | more than 11 years ago | (#4841920)

I realize I shouldn't take this question seriously, but... In reality, windows hashes aren't too valuble because windows isn't open source. You can't compile a explorer.exe with a nice back door added in unless you've got the source to explorer.exe.

Re:What about Windows OS? (3, Insightful)

Trusty Penfold (615679) | more than 11 years ago | (#4841945)


You can't compile a explorer.exe with a nice back door added in unless you've got the source to explorer.exe.

Of course you can - it is trivial to alter the behaviour of a Windows executable; viruses do it all the time.

Append the backdoor to explorer.exe, fiddle with afew bits so the backdoor gets executed first, and find a way to drop it onto the system.

Re:What about Windows OS? (2)

scubacuda (411898) | more than 11 years ago | (#4841960)

I'm not a programmer... ..but I have played with Tripwire on Windows.

I thought it would work much the same way: you'd compare the DB hash with the actual hash of the file to determine its integrity (without regard to its source code).

How does this not affect Windows?

Re:What about Windows OS? (2)

Sludge (1234) | more than 11 years ago | (#4842085)

I understand that, starting with win2k, renaming all of the mainstay windows files will have them automatically come back. But, you can disable that in the registry. So, assuming a trojan has done that...

First, rename explorer.exe to something else. Next, create a new explorer.exe which executes whatever you want it to, and then have it execute the old explorer.exe so it behaves as normal. Transparent to most users.

Re:What about Windows OS? (4, Insightful)

kubrick (27291) | more than 11 years ago | (#4841952)

What about viruses that change the structure of the files they infect? Especially ones that haven't been spotted by the anti-virus firms yet (rare, I know, because they probably develop and release most of them).

Also, can't people still use disassemblers to 'crack' files, and maybe add backdoors at the same time?

Both of these activities would be reflected by checksum changes.

Re:What about Windows OS? (1)

MrWa (144753) | more than 11 years ago | (#4842032)

I didn't see the ability to search for Windows MD5 hashes. Considering its history of vulnerabilities, I'd think that this would be pretty important...

Well, if you realized that those vulnerabilities were in the released and correct versions of the Windows software it wouldn't seem that important. Unless you just wanted to prove that you had an insecure version of some software...

NIST NSRL (was Re:What about Windows OS?) (1)

Taim (1157) | more than 11 years ago | (#4842062)

(Copied from my earlier post [slashdot.org] )

NIST (The National Institute of Standards and Technology) currently has a program to provide this service, though largely focused on Microsoft OSes and associated apps. It may be found here: National Software Reference Library [nist.gov]

The complete list of software they've checksummed can be found here: Software Listing [nist.gov] or you can use their search engine if you're looking for a specific application here: Search Engine [nist.gov]

Compromised /bin/md5 (5, Informative)

Cadre (11051) | more than 11 years ago | (#4841877)

What they don't say and what a lot of security folks forget to do is that they can't check your checksums of binaries on the same box. You need to copy the files to another box and check the checksums there with a known good version of your checksumming binary. The local version of your checksumming binary could have been compromised.

Heck, the utilities you used to pull the binary off the machine in question could have been compromised and may not be actually copying the binary in question, but a good version of the binary. The only way to check this would be to mount the drive on another machine and check it there... And if people aren't doing that (which it's a pain in the ass) all this website is going to do is give people a false sense of security.

Re:Compromised /bin/md5 (1)

GigsVT (208848) | more than 11 years ago | (#4841946)

It's easier to just boot off known good read-only media, mount the file systems in a mount directory and use the utilities from that. Most distros have bootable install CDs these days that you can use for this.

Re:Compromised /bin/md5 (1)

int69h (60728) | more than 11 years ago | (#4841953)

Wouldn't keeping a static binary of your utility on removable media be easier? Why bring the files to the utility when you can bring the utility to the files?

Re:Compromised /bin/md5 (0)

Anonymous Coward | more than 11 years ago | (#4842021)

Wouldn't keeping a static binary of your utility on removable media be easier?

then attacker hacks your kernel to load alternate, malicious bin when you run your md5 program.

Why bring the files to the utility when you can bring the utility to the files?

b/c you must eliminate everything that has the potential to have been cracked.

Re:Compromised /bin/md5 (0)

Anonymous Coward | more than 11 years ago | (#4842061)

Duh. Don't load the kernel off the compromised machine. Both the kernel and the utilities used for inspection would be on the removable media.

Please think before you are so quick to correct others.

Re:Compromised /bin/md5 (0)

Anonymous Coward | more than 11 years ago | (#4841958)

Worse, a trojaned MD5Sum could be created ( and I'm going to code one tonight ), that uses uname to find out the current host type, and then gets the correct MD5 from this website, and substitutes that. In such an environment, this website actually provides exploit cloaking!

Re:Compromised /bin/md5 (2)

iabervon (1971) | more than 11 years ago | (#4842030)

If md5sum doesn't work when you disable the network, be very very suspicious...

Re:Compromised /bin/md5 (1)

alonsoac (180192) | more than 11 years ago | (#4842000)

The only way to check this would be to mount the drive on another machine and check it there...

Or, as someone else mentioned, you can boot from a CD where you have known good copies of all the files you need to perform the security checks, copy files, etc.

Re:Compromised /bin/md5 (3, Insightful)

Idarubicin (579475) | more than 11 years ago | (#4842086)

Heck, the utilities you used to pull the binary off the machine in question could have been compromised and may not be actually copying the binary in question, but a good version of the binary. The only way to check this would be to mount the drive on another machine and check it there... And if people aren't doing that (which it's a pain in the ass) all this website is going to do is give people a false sense of security.>Heck, the utilities you used to pull the binary off the machine in question could have been compromised and may not be actually copying the binary in question, but a good version of the binary.

Other replies have mentioned that it might make more sense to boot off known clean read-only media, on which you also have a copy of your checksum utility.

That said, this still provides a false sense of security. The only way to be absolutely certain that your binaries have not been compromised is the following technique:

Have all your code written by hermit programmers. They must develop their OS and all programming tools (compilers, etc.) by themselves, on a computer that has no connection to the outside world. Taking an OS from another hermit programmer is also acceptable, as long as it is conveyed by hand from one to the other.

You must know and trust all of the hermit programmers.

The hermits must live, eat, and sleep in giant vaults designed to provide physical security to them and their computers. They definitely will not have telephones.

They must develop applications from scratch--no outside data may be allowed to contaminate their pristine systems. Source code may be imported, as long as it is delivered in hard copy form and hand keyed by someone who is very security conscious.

The hermits must hand deliver the binaries of applications to you. You should have already received a copy of their pristine OS by this method.

Presto! Completely secure binaries. No trojans. No false sense of security.

Oh, unless someone finds a buffer overrun that your hermits missed. Then some kiddie will own your box. Damn.

Polymorphic files (5, Informative)

cperciva (102828) | more than 11 years ago | (#4841884)

There is one problem with this: Some files are going to be different every time they are compiled. In particular, quite a few files include time stamps.

A few months ago I put together a list of the "polymorphic" files in FreeBSD 4.6:

/kernel, /boot/loader, and /boot/pxeboot all contain user, host, time, and date stamps, as expected.


All .a files (126 in /usr/lib, one in /usr/libdata/perl/5.00503/mach/auto/DynaLoader) contain indices of .o files, including seconds-since-epoch stamps

User, host, time, and date stamps are found in /etc/mail/freebsd.cf /usr/sbin/named /usr/libexec/named-xfer

Time and date stamps are found in: /usr/bin/suidperl /usr/bin/ntpq /usr/sbin/ntp(d|date|dc|timeset|trace) /usr/sbin/isdn(d|debug|monitor|phone|telctl) /usr/libdata/perl/5.00503/mach/perllocal.pod

Date stamps are found in: /usr/sbin/ppp /var/db/port.mkversion /usr/share/doc/usd/(07.mail|13.viref|18.msdiffs|19 .memacros|20.meref)/paper.ascii.gz (once you ungzip them) /usr/share/perl/man/man3/(Config|DynaLoader).3.gz (once you ungzip them)

Files which are always the same size, but have randomized contents: /usr/share/games/fortune/*.dat /var/games/phantasia/void


These files are always going to set off alarms if you've upgraded-by-source. (On the other hand, if a file *not* on this list has a different checksum, it probably just means that you've applied a security patch.)

Re:Polymorphic files (1)

stratjakt (596332) | more than 11 years ago | (#4842003)

No, but you can make sure your compiler is okee-fine before you go compiling, and you could possibly do an md5 audit of all the source files you use.

But I thought open source was super-duper impregnal because everyone who uses it carefully examines each line of code before compiling and using it, and would instantly notice any piggybacked routines or out of place library calls.

Well, I'm being sarcastic... Truth is, noone would notice if the latest kernel patch had a few lines in it giving root access to UID: troll PWD: goatse

MD5 hashes on the source code help.

Of course, like any digital (or regular) signature, it's only as good as the signator.

Lots of people wouldn't hesitate to sign 'Bill Gates' on a million dollar cheque. Or "Linus Trovalds" on a kernel update they snuck onto one of the mirrors.

md5sum Binary Might Be Trojaned (5, Informative)

John Hasler (414242) | more than 11 years ago | (#4841911)

Boot from a known good floppy or CD to check your md5sums.

Or even better (0)

Anonymous Coward | more than 11 years ago | (#4841994)

The known md5 hashes database might get hacked, so your fresh install appears to have been hacked even before you put it on the net! Pesky hackers.

Thanks for the help (0)

Anonymous Coward | more than 11 years ago | (#4841913)

I'm working on a trojan md5sum program and it was getting suspiciously large because of all the md5 sums it has to contain. But now I just have to make a network connection to your database. Thanks a bunch!

what about suns fingerprint database (1)

ybrich (632499) | more than 11 years ago | (#4841919)

That covers all the issues with keeping uptodate, from a 'trusted' source.. of course its no help for those not running Sun.. http://www.sun.com/solutions/blueprints/0501/Finge rprint.pdf Get access to Suns database, or just drop it, and point Sun users to Sunsolve

Re:what about suns fingerprint database (1)

ybrich (632499) | more than 11 years ago | (#4841936)

Feck http://www.sun.com/solutions/blueprints/0501/Finge rprint.pdf

Local utility would be better (1)

tricknology (112298) | more than 11 years ago | (#4841929)

While this is all well and good, it seems what would be better is a local utility that would allow scanning of the system for executables, etc. MD5 Hashes can be computed, and the results burned to a CD. This will eliminate the problem of different hashes due to things like timestamps, etc.

Still kinda cool, tho.

Filtered as a "Hacking" site (4, Interesting)

KidSock (150684) | more than 11 years ago | (#4841932)

Mu corporate www proxy filters this site as category "Hacking".

Re:Filtered as a "Hacking" site (-1, Troll)

Trolly McTroll-Troll (632114) | more than 11 years ago | (#4841990)

Hey you...GET BACK TO WORK!

Great! (1)

TermAnnex (154514) | more than 11 years ago | (#4841935)

Great! Now to modify the checksum generator to check this site, and return good checksums. ;)

Seriously though, good idea. It's nice to have this availiable, even if it can't be 100% trusted. Maybe Distro makers should start providing something similar? Maybe a cd (or floppy) that you can boot the machine from, which checks all files against a database on disc.

You can obviously do this yourself, using tripwire. Although, most people just don't want to take the time to wait for tripwire to finish making hashes of each file on the system.

Uh, Sun beat you to it for solaris (1)

sjh (29820) | more than 11 years ago | (#4841948)

SunSolve [sun.com]

config files (5, Funny)

Erpo (237853) | more than 11 years ago | (#4841949)

This is great for precompiled binaries, but it won't work so well for config files - they're different from system to system. I have a better solution:

Anyone who wants to make sure their important config files haven't been changed by an intruder can email them to me, and I'll hold on to them for safe keeping. /etc/passwd and /etc/shadow are especially likely to be modified, so I'd recommend sending those right away.

Hey man... (2)

inode_buddha (576844) | more than 11 years ago | (#4841962)

have some Ajax (TM), you can get paranoid without even smoking anything!

Useless for RPM-Based Distribuitons (0)

Anonymous Coward | more than 11 years ago | (#4841963)

This is completely redundant for RPM-based distributions. RPM's store MD5 sums and you can get these from the original istallation source. You can verif installed files from an uninstalled RPM.

Relief (3, Funny)

eyeball (17206) | more than 11 years ago | (#4841965)

Oh good, the md5 hash for my /sbin/md5 binary matches the signature found on known-goods. Now I can sleep at night. oh, wait...

What about a more targeted approach? (2)

scubacuda (411898) | more than 11 years ago | (#4841982)

What about focusing on files that are routinely replaced with trojans, rootkits, etc.?

I'm not saying NOT to do the rest of the files, just that these (I'd think) would be the files that you'd want to check FIRST before the rest of the system.

Perhaps a separate section featuring these targeted areas?

I have to wonder... (1, Insightful)

Anonymous Coward | more than 11 years ago | (#4841985)

...how often this will reveal distro's slipstreaming changes into a given version number.

Can you imagine... (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4842006)

a Soviet beowulf cluster of naked-and-petrified Natalie Portman clones pouring hot grits down their pants while viewing goatse.cx, posting in haiku, and giving CmdrTaco a blowjob?

Moreover, IF I EVER MEET YOU I WILL KICK YOUR ASS.

package mangement (2)

hpavc (129350) | more than 11 years ago | (#4842010)

do any of the distributions allow for doing something like this via apt/dpkg?

likely only handle part of the .rpm/.deb but it seems like something workable for the binaries that are installed.

Something's wrong here (5, Insightful)

phr2 (545169) | more than 11 years ago | (#4842011)

If we need an external database of md5's to authenticate so many different files, that means that md5's weren't really the right authentication method to begin with. It's better to use digital signatures.

The fancy way to do that is with an Authenticode-like system for signing files. Distro maintainers would sign the files in their distros, and users could also sign their own files. A simpler way would be to just have a big, signed list of md5's in some file that tripwire checks against. Tripwire would check the signature on the file before believing the md5's in it. Or the list could contain individual signatures per file instead of just hashes.

A centralized md5 database doesn't feel so right with the free software spirit, which says (legitimate) users could modify the files at any time, or just recompile them with a slightly different compiler, etc.

Re:Something's wrong here (3, Interesting)

ShmuelP (5675) | more than 11 years ago | (#4842106)

And what's to prevent an intruder from adding a trojan to the signature-checking program/library?

Chicken-and-egg...

Re:Something's wrong here (3, Informative)

ShmuelP (5675) | more than 11 years ago | (#4842122)

A simpler way would be to just have a big, signed list of md5's in some file that tripwire checks against. Tripwire would check the signature on the file before believing the md5's in it.

Note: this is exactly what tripwire already does. Except that it also stores other file attributes as well.

Breakfast (0)

Anonymous Coward | more than 11 years ago | (#4842013)

club!

Debian / debsums (5, Informative)

zsazsa (141679) | more than 11 years ago | (#4842016)

Debian has this built into the OS with debsums [debian.org] .

It does require a legit dpkg database (and md5sum, and the debsums program itself...) but it's a nice tool.

Problems with patched OSes / custom builds (2, Interesting)

Turambar (5226) | more than 11 years ago | (#4842020)

This sounds nice, but I see problems as installs move from the "100% installed code" to the "patch of the week" versions. Especially when you have to do custom builds of the software.

Are you running BIND, Apache, wu-ftpd, or (shudder) Sendmail? If you are, your system won't be entirely in their shiny dbase for more than a month (probably more like a week) after you install. And if _you_ don't update it, someone will be kind enough to "update" some file for you soon enough...

As a test, I checked /bin/ps on a few local systems. (If you don't know why I started with this one, you will. Probably sooner than you'd wish to.)

From the dbase:

RH 7.1 - MD5: ac0b58050deb21db1ed701277521320b
RH 7.3 - MD5: 6d3abf4efc9235e4eb5dc540d61d42fa

My systems:

#1 - MD5: ac0b58050deb21db1ed701277521320b
#2 - MD5: ac0b58050deb21db1ed701277521320b
#3 - MD5: 9724525265900e5f9020de3b431425b1
#4 - MD5: 881c7af31f6f447e29820fb73dc1dd9a
#5 - MD5: 6d3abf4efc9235e4eb5dc540d61d42fa

Binary compatibility is seen for systems 1, 2, and 5, but the RH7.2 system (#4) doesn't match. System #3 is a Gentoo system, which is probably the most secure, but also the least likely to ever match with their list. I guess that's the peril of compiling your own code.

Ooh! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4842023)

First post!

CONGRATULATIONS (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4842033)

Congratulations! You win the grand prize [goatse.cx] !

Use BITZI too! (3, Informative)

aminorex (141494) | more than 11 years ago | (#4842028)

I'd rather see everyone using bitzi.com, since it's
goal is to gather metadata for *every* file in the
universe, and keep the data free, supported by a
related business model (and a viable, sustainable
support mechanism is GOOD), but I support this
project too, because choice and freedom are goods.
Therefore, I urge everyone to submit metadata
to both projects.

If you only submit to one, however, please submit
to bitzi, because it provides an automation API,
and uses better hashes.

Note that I have no affiliation with the Bitzi company.

Another Resource (5, Informative)

Taim (1157) | more than 11 years ago | (#4842048)

NIST (The National Institute of Standards and Technology) currently has a program to provide this service, though largely focused on Microsoft OSes and associated apps. It may be found here: National Software Reference Library [nist.gov]

The complete list of software they've checksummed can be found here: Software Listing [nist.gov] or you can use their search engine if you're looking for a specific application here: Search Engine [nist.gov]

Needs more... (2)

j3110 (193209) | more than 11 years ago | (#4842050)

Something to combat md5sum itself from being cracked. Perhaps a statically compiled binary that you can download with the program of your choice. Then rootkits would have to modify every program that can download a file, or the kernel. The best system would be a nice bootable CD that would scan all known file system types for files that have md5 sums of known bad files, not search for files and make sure they have a md5 sum of a good file. Then root kits will have to rely on a compiler or append random bytes to the end of the files.

Well this gets so complicated that by the time you've thought it all out, you really need virus scanner technology to thwart root kits. Maybe a kernel patch could run a virus scan on executable files? It would be quite difficult to tamper with the actual running kernel in memory without causing the system to lock or reboot, thus giving away that the system is being tampered with. Assuming root kits are distributed in source form, you'll need heuristic scanning to find them. This means false positives and manual overides by the system administrator.

Combination solution. (3, Interesting)

pr0ntab (632466) | more than 11 years ago | (#4842059)

Ideally, a simple tool should be developed that does the following:

Compare the MD5sums of critical files to a recent known "snapshot" of the system on RO media, which only indexes files that were changed and reconciled. Perhaps there is a list of files of which only certain byte ranges (perhaps just executable ELF sections) are checked, are some are omitted. (Other slashdotters mention caches/timestamps in certain relevant files that screw up checksums). You would have a whitelist (files which must match), then a graylist (files which meet byte-range criteria), and perhaps even a blacklist that prevents files that would normally be flagged to be ignored.

In checking full file checksums, those not explicitly listed above would fallback to a check using a HTTP get request conforming to this helpful document [knowngoods.org] these guys have offered.

And to those who were asking about other distributions: they are looking for people willing to work with them to add new distros/architectures to their database.

I would'v replaced md5 itself - right ? (1)

alex733 (521583) | more than 11 years ago | (#4842069)

I had my Linux 6.0 broken into and ls binary was replaced together with md5 checksum generator so it was really hard for me to find out.

Bleah (4, Informative)

digitaltraveller (167469) | more than 11 years ago | (#4842094)

NIST [nist.gov] does this too. For a different reason though. To help forensic examiners eliminate non-important data in a suspect's computer. They use 4 different hash algorithms (MD5, SHA-1, CRC32, and one other), so good luck finding a collision for all 4. They were giving out copies of the CD-hashdb at an InfoSec conference I was at recently.

Terrorrists use md5 :) (0)

Anonymous Coward | more than 11 years ago | (#4842104)

Cheers

Kids these days... (1)

Curl E (226133) | more than 11 years ago | (#4842105)

Tripwire [tripwire.org]

SE Linux: An ounce of prevention vs pound of cure (1)

Tracy Reed (3563) | more than 11 years ago | (#4842117)

Had you been running SE Linux your files would not have been modified in the first place and a good audit trail would tell you what they attempted to modify.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?