L6: a lightweight tool to detecting file tampering

L6: a lightweight tool to detecting file tampering

Post by Patrick Gilber » Fri, 18 Dec 1998 04:00:00

After fiddling with tripwire, I decided to create a lighter and faster
file data intergrity tool. I found tripwire (now a commercial product)
be too heavy and slow for my needs.

L6 is a file data integrity checker using both the MD5 and SHA-1 hash
algorithms. This tool can detect file tampering based on hashes
by both algorithms and other inode information (not as reliable tho).

It also provides a useful, lightweight and flexible interface (written
perl) to verify file data integrity, and the output and functionality

Here are a few examples:

Using digest version SHA-1, library version 1.2
-STANDARD INPUT-//X - - - [-,-] 6048 bytes

-STANDARD INPUT-//X - - - [-,-] 20 bytes

/etc/sshd.pid//text 649608 100666 1 root/root 6 bytes 365de054
/etc/ftphosts//text 649607 100600 1 root/sys 190 bytes 36124491
/etc/sendmail.cf//text 649534 100644 1 root/other 31497 bytes 365e70e9

L6 many more options, and is approx. 40% faster than it's C conterpart.
It's open source. It's free. <BIG BANNER HERE>

I am donating this tool to the general security community for
and comments.


Patrick Gilbert                                     +1 (514) 865-9178
CEO, PGCI                                          http://www.pgci.ca
Montreal (QC), Canada CE AB B2 18 E0 FE C4 33  0D 9A AC 18 30 1F D9 1A


1. Self-referential directory file.../etc/inet tampered with

        I'm wondering whether anyone else has run into this problem.  I
am running Linux on a standalone 386 (occasional SLIP connects) with
Slackware 3.0 obtained from an ftp site.  I recently discovered that
my /etc/inet subdir had been tampered with.  Specifically, the /etc/inet
directory has been replaced with a softlink to "./" giving me a sequence
of /inet subdirs (i.e. /etc/inet/inet/inet/inet...ad nauseum).  I am
the sole user of this machine and I'm certain I didn't create this link.
Just prior to finding this problem, I found my system running a
"find / -NFS..." command and accessing my mounted DOS partition at a
time when I didn't have any cron or at jobs scheduled.

In what is likely a related problem, I had my DOS partition (which I
typically mount under Linux) trashed in a similar fashion, with my
c:\DOS subdir being replaced with a referent to my c:\ hierarchy,
which was, again, repeated in a neverending series of DOS subdirs
(i.e. c:\dos\dos\dos\dos...).

I haven't downloaded any executable code (or postscript files, etc.)
to my Linux box recently.  

Any insights and helpful suggestions would be appreciated.  


2. Video card compatability

3. lightweight tar (file archiver)

4. malloc.conf

5. Lightweight Files

6. Modem speed

7. File sychronizing tool, performance graph tool

8. 3 button mouse

9. Tools Tools Tools ... wanted

10. detect memory leak tools?

11. Kernel upgrade tampered internet connection?

12. tampering with masq module for Netmeeting

13. Tool for detecting root-kit