On Mon, 6 Nov 2000, Chewie wrote: > Here's a little known trick for a very minimalistic intrusion > detection hack. Debian installs a file called <package>.md5sums in > the directory /var/lib/dpkg/info/. If you move yourself to the root > parition: > > bash$ cd / > > And run md5sum -c on the package files. > > bash$ for i in /var/lib/dpkg/info/*.md5sums ; do \ > > md5sum -c $i ; done &> /tmp/check.out > > You can pipe the output to an email to see if any of your installed > programs have been tampered with. Tie it in with cron, and you've one > more tool to use... > > ## Crontab entry for your user... > > 00 03 * * * cd /; for i in /var/lib/dpkg/info/*.md5sums ; do \ > md5sum -c $i ; done > > Of course, this is no where near the same usefulness that running > tripwire or aide might give you. If neither of these are installed, > this "trick" may add a little more info to your clue box.
A nice little trick, and something I was playing around with on some SGIs I manage. Not foolproof, though. They just have to install a trojan md5sum or update your md5sum database. But it is certainly a nice start, as no script kiddie will think to check your crontab for stuff like that! Damian Menscher -- --==## Grad. student & Sys. Admin. @ U. Illinois at Urbana-Champaign ##==-- --==## <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Ofc:(217)333-0038 ##==-- --==## Physics Dept, 1110 W Green, Urbana IL 61801 Fax:(217)333-9819 ##==--
