[nycbug-talk] Searching for suspect PHP files...

[Andy Kosela]

George Rosamond <george at ceetonetechnology.com> wrote:

> Matt Juszczak wrote:
> >> Tripwire became a bloated beast nowadays.  I'm using mtree(8) for
> >> checking files integrity and it is a very good tool for such job.
> >>
> >> --Andy
> > 
> > So say I wanted to check if an existing system of mine has been 
> > compromised.  I already know that chkrootkit is returning nothing, but 
> > that's returning nothing with no source to compare to, so obviously 
> > there's the potential there for error.
> > 
> > Should I compile world in /usr/src and use chkrootkit with a basedir of 
> > the compiled binaries?  Or should I use mtree, and if so, suggestions on 
> > best ways?
> >
>
> IMHO, it depends on the context.
>
> mtree is great if you're looking at a set of static files. . . clearly a 
> dynamically generated www site will have files that can't be simply mtree'd.

First, what is the point of checking file integrity for the
*dynamically* generated set of files?

Those solutions work best for base system files like /bin and /sbin
binaries to see if somebody messed with them.  If you didn't make a
fresh specification just *before* you put the system online, then you
will never know if you have been "trojan horsed".  Also make sure you
scan the suspect system from another highly secured machine and use
mtree(8) from that machine.  It is very probable that first thing an
attacker would do on your system would be to change mtree(8), so that it
would not work as expected.

--Andy