Guillermo and AMMRL:
I have found MD5 checksums to be very useful to me in testing systems for intrusions such as you describe. We had an incident last week with a corrupted folder. It looked very strange, and I was very concerned that we had been hacked. But the MD5 checksums were all ok. So I went back to the user and asked a bunch more questions. Turned out the computer where his data partition exists was rebooted at the same time he was writing a file to the folder. It was the MD5 checksums that really convinced me--and allowed me to not spend substantially more time looking for hacker intrusions--that we were ok, and the problem arose from the reboot during the data write.
Sun has an extremely useful site (because it checks all versions of Solaris) at:
http://sunsolve.sun.com/pub-cgi/fileFingerprints.pl
Purdue maintains a general version of the MD5 software for all systems at:
ftp://ftp.cerias.purdue.edu/pub/tools/unix/crypto/md5/
Check also CERT's information on MD5s, e.g.:
http://www.cert.org/security-improvement/implementations/i002.01.html
I keep a database of the MD5 checksums on all our systems (Sun and SGI). It is best to make these just after the OS has been installed and patched. Various system files like ls, ps, netstat, login, etc., are the best to check.
Good luck,
Charlie
At 02:08 PM 12/12/01 -0400, Guillermo Moyna wrote:
>Hi gang,
>
>This one is unrelated to NMR, but important if you have a linux box (i.e., new brukers will) with all your data on it.
>
>A little web server that we have here was hacked last weekend with a very pernicious rootkit called 'knark'. The hacker got into the machine, probably exploiting a vulnerability in one of the ports not protected by our firewall (great firewall, uh?), then installed this program, and got root access. The program (actually, a gzipped 'distribution' with makefile and everything) was installed deep in /dev/, so it would be hard to find find. He also replaced a loadable kernel module by a trojan that would open the ports/services he wanted open after reboots. He also installed a variety of trojan replacements for common system command (ps, ls, ifconfig, netstat, etc., etc.) that made the hacker's processes hidden to the user, as well as other programs, such as 'rootme', which gave him root prvileges with no passwords, and a sniffer, so he could look at usernames/passwords that were issued from that machine. He/she also wiped out the /var/log directory to cover his tracks. This was his
mistake, as the web-server died when /var/log/httpd was gone, and that's how I realized we were being hacked.
>
>In any case, the only solution was to unplug the thing from the wall, and now we are consulting with our isp provider on the best route to take to make our server secure. I looked at 'tripwire', but apparently knark can get around tripwire. I'm certain that we'll have to re-format the drive and re-install the OS.
>
>Take-home message: If you are running brukers with linux, be VERY careful about these things. I also read that if the hacker had been a little less sloppy, we would not have noticed anything abnormal! If you need to have the linux box on the network (even a private one), remove ANY unused service, and firewall everything else. Also, if you are not doing development of programs, disable the C compilers, so that these things cannot be installed.
>
>Just though I share my frustration with the group...
>
>Cheers,
>
>Guillermo
>+==================-------------- --- -- - - - -
>Guillermo Moyna, PhD
>Assistant Professor of Chemistry
>Department of Chemistry & Biochemistry
>University of the Sciences in Philadelphia
>600 South 43rd Street
>Philadelphia, PA 19104-4495
>
> "The only existing things are atoms and empty space.
> All else is mere opinion" - Democritus, 370 B.C.
>
>Office: Grifith Hall 360
>Phone: (215) 596-8526
>Fax: (215) 596-8543
>e-mail: g.moyna_at_usip.edu
>WWW: http://tonga.usip.edu/gmoyna/index.html
> http://www.usip.edu/chemistry/faculty/moyna.asp
> - - - - -- --- -----------=================+
----------------------------------------------------------
Charles G. Fry, Ph.D. Tel: (608)262-3182
Director, MR Facility Fax: (608)262-0381
Chem. Dept., Univ. Wisconsin
Madison, WI 53706 USA email: fry_at_chem.wisc.edu
----------------------------------------------------------
Received on Thu Dec 13 2001 - 09:55:15 MST