Find Compromised Packages






Find Compromised Packages

Verify operating system managed files with your system's package management system.

So, you've had a compromise and you need to figure out which files (if any) the intruder modified, but you didn't install Tripwire? Well, all is not lost if your distribution uses a package management system.

While not as powerful as Tripwire, package management systems can be useful for finding to what degree a system has been compromised. They usually keep MD5 signatures for all the files the package has installed. You can use this functionality to check the packages on a system against its signature database.

Using RPM

To verify a single package on a system that uses RPM, run this command:

# rpm -V 
               
                  package
               
            

If the intruder modified any binaries, it's likely that the ps command was one of them. Use these commands to check its signature:

# which ps
/bin/ps
# rpm -V \Qrpm -qf /bin/ps\Q
S.5....T   /bin/ps

Here, the S, 5, and T show us that the file's size, checksum, and modification time have changed since it was installednot good at all. Note that only files that do not match the information contained in the package database will result in output.

To verify all packages on the system, use the usual rpm option that specifies all packages, -a:

# rpm -Va
S.5....T   /bin/ps
S.5....T c /etc/pam.d/system-auth
S.5....T c /etc/security/access.conf
S.5....T c /etc/pam.d/login
S.5....T c /etc/rc.d/rc.local
S.5....T c /etc/sysconfig/pcmcia
.......T c /etc/libuser.conf
S.5....T c /etc/ldap.conf
.......T c /etc/mail/sendmail.cf
S.5....T c /etc/sysconfig/rhn/up2date-uuid
.......T c /etc/yp.conf
S.5....T   /usr/bin/md5sum
.......T c /etc/krb5.conf

There are other options you can use to limit what gets checked on each file. Some of the more useful ones are -nouser, -nogroup, -nomtime, and -nomode, which can eliminate a lot of the output that results from configuration files that you've modified.

Note that you'll probably want to redirect the output to a file, unless you narrow down what gets checked by using the command-line options. Running rpm -Va without any options can result in quite a lot of output from modified configuration files and such.

This is all well and good, but it ignores the possibility that an intruder has compromised key system binaries and might have compromised the RPM database as well. If this is the case, you can still use RPM, but you'll need to obtain the file the package was installed from in order to verify the installed files against it.

The worst-case scenario is that the rpm binary itself has been compromised. It can be difficult to be certain of this unless you boot from alternate media, as mentioned in "Image Mounted Filesystems" [Hack #121]. If this is the case, you should locate a safe rpm binary to use for verifying the packages.

First, find the name of the package that owns the file:

# rpm -qf 
               
                  filename
               
            

Then, locate that package from your distribution media, or download it from the Internet. After doing so, verify the installed files against what's in the package using this command:

# rpm -Vp 
               
                  package file
               
            

Using Other Package Managers

Under systems that use Debian's packaging system, you can use the debsums command to achieve mostly the same results. Run this to verify all packages installed on the system:

# debsums -ac
            

Or, if you want to verify them against packages stored on distribution media, you can use the following command instead:

# debsums -cagp 
               
                  path_to_packages
               
            

Under FreeBSD, you can use the -g option with pkg_info to verify the checksums of files that have been installed via a package:

$ pkg_info -g jpeg-6b_1
Information for jpeg-6b_1:

Mismatched Checksums:
/usr/local/bin/cjpeg fails the original MD5 checksum
/usr/local/bin/djpeg fails the original MD5 checksum
/usr/local/bin/jpegtran fails the original MD5 checksum
/usr/local/bin/rdjpgcom fails the original MD5 checksum
/usr/local/bin/wrjpgcom fails the original MD5 checksum
/usr/local/lib/libjpeg.a fails the original MD5 checksum
/usr/local/lib/libjpeg.so.9 fails the original MD5 checksum

To do this for all packages, run a command like this:

$ pkg_info -g \Qpkg_info | awk '{print $1}'\Q
            

Package managers can be used for quite a number of useful things, including verifying the integrity of system binaries. However, you shouldn't rely on them for this purpose. If possible, you should use a tool such as Tripwire [Hack #122] or AIDE (http://sourceforge.net/projects/aide).



 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows