[nycbug-talk] Searching for suspect PHP files...
George Rosamond
george at ceetonetechnology.com
Wed Mar 4 13:47:38 EST 2009
Andy Kosela wrote:
> George Rosamond <george at ceetonetechnology.com> wrote:
>
>> Matt Juszczak wrote:
>>>> Tripwire became a bloated beast nowadays. I'm using mtree(8) for
>>>> checking files integrity and it is a very good tool for such job.
>>>>
>>>> --Andy
>>> So say I wanted to check if an existing system of mine has been
>>> compromised. I already know that chkrootkit is returning nothing, but
>>> that's returning nothing with no source to compare to, so obviously
>>> there's the potential there for error.
>>>
>>> Should I compile world in /usr/src and use chkrootkit with a basedir of
>>> the compiled binaries? Or should I use mtree, and if so, suggestions on
>>> best ways?
>>>
>> IMHO, it depends on the context.
>>
>> mtree is great if you're looking at a set of static files. . . clearly a
>> dynamically generated www site will have files that can't be simply mtree'd.
>
> First, what is the point of checking file integrity for the
> *dynamically* generated set of files?
Err. . that was my point, if made unclear. . . dynamically generated
files are a bit of a hassle to mtree :)
>
> Those solutions work best for base system files like /bin and /sbin
> binaries to see if somebody messed with them. If you didn't make a
> fresh specification just *before* you put the system online, then you
> will never know if you have been "trojan horsed". Also make sure you
> scan the suspect system from another highly secured machine and use
> mtree(8) from that machine. It is very probable that first thing an
> attacker would do on your system would be to change mtree(8), so that it
> would not work as expected.
>
Of course. . .
And the most effective way of doing such an mtree is to have it done
remotely . . . depending on the context.
Maybe from outside a chroot, or (ike don't punch me), from the host to a
FreeBSD jail.
If it's just static www content, it can be done remotely with wget.
It all depends on the context. . . checksum'g:
1. base system? without a FreeBSD jail or full system remote access,
you're right, it's a bit suspect in results.
2. dynamic www content: good luck outside of the static files
g
More information about the talk
mailing list