Checking modified binaries

Checking modified binaries

Post by Lee J. Silverm » Fri, 05 Aug 1994 12:40:10



        Now that I've started to learn Perl, I'm trying to write a
number of scripts that help me do systems administration.  Yes, I
know, dozens of people have done this before, but it's always fun to
do it yourself.

        One of the things I'd like to do is check to see if any of a
set of binaries have been modified since the last time I ran the
check.  Perl will allow me to verify that the file size is the same as
the last time I ran the script, and it will also let me look at the
last modified date.  The question is: which is safer to monitor?  If I
were a cracker, and I wanted to modify a binary so that it would make
the system work for me, I *think* it would be easy to make the patch
so that the executable was the same size as the original.  Is there
any way the presumed intruder (or even a user on the system) can
change the last modified date for a file?

        In case anyone cares, this is a Linux box using the ext2 file
system.

--
Lee Silverman, Brown class of '94, Brown GeoPhysics ScM '95


"Nonsense - you only say it's impossible because nobody's ever done it."

 
 
 

Checking modified binaries

Post by Bruce Hagger » Fri, 05 Aug 1994 23:26:50



Quote:>    One of the things I'd like to do is check to see if any of a
>set of binaries have been modified since the last time I ran the
>check.

Good idea -- trojan horse programs can prove to be real pains!

Quote:> Perl will allow me to verify that the file size is the same as
>the last time I ran the script, and it will also let me look at the
>last modified date.  The question is: which is safer to monitor?

Neither is safe at all.  A cracker can (as you point out below) pad the
file to match the orignal size, and it is trivial to change the date.

A much better way is to calculate a checksum or hash of the data within
the file. The easiest way to do this is simply to exec the "sum" command
within perl.  For even more security, you can calculate the MD5 sum (check
any decent crypto book for the algorithm).  There is no way for a
cracker to modify the file without changing the checksum.

You should also take a look at tripwire. It does exactly what you are
looking for.

--
Bruce


 
 
 

Checking modified binaries

Post by Lee J. Silverm » Sat, 06 Aug 1994 02:07:06


        Thanks to everyone who suggested different techniques for
setermining whether or not binaries on my machine have been modified.

        It seems that the consensus is that file sizes and last
modification dates are both hackable, and are not something I should
bother checking to see if the binaries have been altered.  A better
solution would be to use MD4 or MD5 checksums on the binaries, and
also on all the dymanically loadable library files.  That way, *any*
change will be noticed and can be reported.  Also, it seems to be a
prudent idea to physically print out a copy of the checksums and
compare two printouts every so often, based on the assumption that
anyone who can modify your binaries or libraries will also check to
see if you check for that sort of thing, and modify your checksum
database.

Thanks for the help everyone!

--
Lee Silverman, Brown class of '94, Brown GeoPhysics ScM '95


"Nonsense - you only say it's impossible because nobody's ever done it."

 
 
 

Checking modified binaries

Post by Tilman Schmi » Sat, 06 Aug 1994 16:14:29




Quote:>    One of the things I'd like to do is check to see if any of a
>set of binaries have been modified since the last time I ran the
>check.  Perl will allow me to verify that the file size is the same as
>the last time I ran the script, and it will also let me look at the
>last modified date.  The question is: which is safer to monitor?

Neither of the two is any good:  Any experienced hacker will
make the hacked file the same size as the original and reset
its last modified date to the previous value with "touch".
The only check that is any good is a cryptographically hard
checksum of the file's contents.  To be really safe you have
to store the correct checksums in an encrypted file, on a
physically read-only medium, or better still, offline.

--
Tilman Schmidt                              Phone:  +49 221 8299 275
Sema Group Deutschland GmbH                 Fax:    +49 221 8299 266

 
 
 

Checking modified binaries

Post by Clayton Mitche » Mon, 08 Aug 1994 17:28:48


The best solutions have already been mentioned, but you would have less
to worry about in the first place if you do this:

To ease your sysadmin burden, I would modify 'touch' so that it can not set
the date back on a file, with something like a C front-end.   Only some
versions of touch can set the date backwards,
unfortunately Linux versions do.  Also the 'date' command should be
protected from common users by the same logic.

I would do the checksums too, of course.

--

Public Access UNIX and Internet at (503) 220-1016 (2400-14400, N81)

 
 
 

Checking modified binaries

Post by Greg Bla » Tue, 09 Aug 1994 13:21:15



>The best solutions have already been mentioned, but you would have less
>to worry about in the first place if you do this:
>To ease your sysadmin burden, I would modify 'touch' so that it can not set
>the date back on a file, with something like a C front-end.   Only some
>versions of touch can set the date backwards,
>unfortunately Linux versions do.

Are you going to disable the C compiler too?  It would only take about 5
minutes to write touch.

Quote:>Also the 'date' command should be
>protected from common users by the same logic.

Does linux allow ordinary users to set the date?  If so, that's another
reason to avoid it.

--

681 Park Street, Brunswick, Vic. 3056, Australia

 
 
 

Checking modified binaries

Post by Kurt M. Hockenbu » Wed, 10 Aug 1994 00:22:10


: Does linux allow ordinary users to set the date?  

No.

 
 
 

Checking modified binaries

Post by Tilman Schmi » Wed, 10 Aug 1994 20:20:52




>To ease your sysadmin burden, I would modify 'touch' so that it can not set
>the date back on a file, with something like a C front-end.

Won't stop anybody determined.  The underlying system call, utime(),
can be used by any user on any file he can write.  (And if he can't,
there is no problem to begin with.)  So any hacker can just create
his own version of 'touch'.

Quote:>  Also the 'date' command should be
>protected from common users by the same logic.

It already is, on all Unices I know of.  To change the system date
you have to be superuser.

--
Tilman Schmidt                              Phone:  +49 221 8299 275
Sema Group Deutschland GmbH                 Fax:    +49 221 8299 266

 
 
 

1. AIDE ( replacement for tripwire ), checking for rootkits / modified binaries, etc.

I am in the process of removing root privileges from developers ( It's a
long story, but it has been like that before I even cam started working
with the company ).

Since the developers still have root access ( otherwise, their apps will
not run ) until after I have configured everything correctly so that
their apps need need to run as root, there is always the possibilility
that either

a) someone has already modified the system binaries, or installed
rootkits, etc ....

b) or will do so just after I a check is done but before I revoke root
privileges from them.

I would want to be able to know:

If any rookits are installed before or after I have denied everyone else
root privileges ... check if the Solaris binaries in /usr ... /bin ...
etc... are what they are supposed to be.

( I suppose I can run pkgchk, but if the package itself in /var/sadm/
... has been modified to make be believe nothing has been altered, it's
another story. )

Which one do most of you use? Nessus ? etc. ?

Is there a way to check the binaries programatically against's Sun's
website or something like that ?

Now assuming everything was fine even after root privileges has been
revoked from them, I am thinking of then using AIDE

http://www.cs.tut.fi/~rammer/aide.html

Anyone with experience with it to provide some feedback ?
Is it worth it ?

2. telnet sessions closing down

3. A script that will only check file if it has been modified since last check

4. HAND SCANNER

5. How to check if a file is modified in the last hour in ksh?

6. FreeBSD/OS X: tcsh vs bash vs zsh?

7. Modifying ppp.c to set a variable when CRC check fails

8. sub-domain

9. modifying a binary's runtime library search path

10. Modify a string in binary file

11. Modifying binary file

12. Modified SUNWcsu binaries

13. Last-modify time on directories containing modified files