[nycbug-talk] Searching for suspect PHP files...

George Rosamond george at ceetonetechnology.com
Wed Mar 4 13:47:38 EST 2009

Andy Kosela wrote:
> George Rosamond <george at ceetonetechnology.com> wrote:
>> Matt Juszczak wrote:
>>>> Tripwire became a bloated beast nowadays.  I'm using mtree(8) for
>>>> checking files integrity and it is a very good tool for such job.
>>>> --Andy
>>> So say I wanted to check if an existing system of mine has been 
>>> compromised.  I already know that chkrootkit is returning nothing, but 
>>> that's returning nothing with no source to compare to, so obviously 
>>> there's the potential there for error.
>>> Should I compile world in /usr/src and use chkrootkit with a basedir of 
>>> the compiled binaries?  Or should I use mtree, and if so, suggestions on 
>>> best ways?
>> IMHO, it depends on the context.
>> mtree is great if you're looking at a set of static files. . . clearly a 
>> dynamically generated www site will have files that can't be simply mtree'd.
> First, what is the point of checking file integrity for the
> *dynamically* generated set of files?

Err. . that was my point, if made unclear. . . dynamically generated 
files are a bit of a hassle to mtree :)

> Those solutions work best for base system files like /bin and /sbin
> binaries to see if somebody messed with them.  If you didn't make a
> fresh specification just *before* you put the system online, then you
> will never know if you have been "trojan horsed".  Also make sure you
> scan the suspect system from another highly secured machine and use
> mtree(8) from that machine.  It is very probable that first thing an
> attacker would do on your system would be to change mtree(8), so that it
> would not work as expected.

Of course. . .

And the most effective way of doing such an mtree is to have it done 
remotely . . . depending on the context.

Maybe from outside a chroot, or (ike don't punch me), from the host to a 
FreeBSD jail.

If it's just static www content, it can be done remotely with wget.

It all depends on the context. . . checksum'g:

1.  base system?  without a FreeBSD jail or full system remote access, 
you're right, it's a bit suspect in results.

2.  dynamic www content: good luck outside of the static files


More information about the talk mailing list