 |
 |
Compromised security? Could you please post some Panther checksums?
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Nov 2003
Location: Ithaca, NY
Status:
Offline
|
|
I was just perusing my logs the other night and was a few things aroused my suspicion, and so I was hoping that I could do a quick sanity check and verify that my machine hasn't been compromised (otherwise, I hurry to reformat and lock things down). I normally have file sharing, web sharing, remote login, and printer sharing enabled, so obviously there's some exposure. I was hoping that anybody here could post checksums for the following apps (I have panther with all of the system updates installed)? Thanks for your help!
/etc/inetd.conf
/usr/bin/basename
/usr/bin/biff
/usr/bin/chfn
/usr/bin/chsh
/usr/sbin/cron
/bin/date
/usr/bin/du
/usr/bin/dirname
/bin/echo
/usr/bin/egrep
/usr/bin/env
/usr/bin/find
/usr/libexec/fingerd
/usr/bin/grep
/usr/bin/su
/sbin/ifconfig
/usr/sbin/inetd
/usr/bin/login
/bin/ls
/usr/bin/mail
/usr/sbin/netstat
/usr/sbin/named
/usr/bin/passwd
/bin/ps
/usr/sbin/rpcinfo
/usr/libexec/rlogind
/usr/libexec/rshd
/usr/bin/slogin
/usr/sbin/sendmail
/usr/sbin/sshd
/usr/sbin/syslogd
/usr/bin/tar
/usr/libexec/tcpd
/usr/bin/top
/usr/libexec/telnetd
/usr/sbin/timed
/usr/sbin/traceroute
/usr/bin/write
|
 myPhoto: all you have to do is plug in your digital camera, import your photos as you normally would into iPhoto, organize them, add whatever captions you want, and voila! Your photos are on your web page! And what did you have to do to put them there? Simply install myPhoto.
|
| |
|
|
|
|
|
|
|
Posting Junkie
Join Date: Dec 2000
Status:
Offline
|
|
Shameless plug time:
Pacifist has a Verify feature that compares the checksums of the files on your disk with the checksums specified in the package that installed them.
The one caveat is that if you've installed system updates since you installed the OS, obviously the checksums will be different than the checksums in Essentials.pkg. In this case, you want to run the Verify feature on the latest Software Update receipt that contains the file you want to examine.
|
|
|
| |
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Nov 2003
Location: Ithaca, NY
Status:
Offline
|
|
So I compared a few (very small sample of the whole list: tcpd, su, login, netstat, sshd) checksums with a friend, and there was a disparity with sshd, so I was wondering if anybody here could chime in?
Is it:
234274262b80cf61cf46141936b9cbee
or
fcc59fb5569112742e83c203f9991251
?
|
myPhoto: all you have to do is plug in your digital camera, import your photos as you normally would into iPhoto, organize them, add whatever captions you want, and voila! Your photos are on your web page! And what did you have to do to put them there? Simply install myPhoto.
|
| |
|
|
|
|
|
|
|
Junior Member
Join Date: Nov 2003
Status:
Offline
|
|
Originally posted by SAgent0068:
So I compared a few (very small sample of the whole list: tcpd, su, login, netstat, sshd) checksums with a friend, and there was a disparity with sshd, so I was wondering if anybody here could chime in?
Is it:
234274262b80cf61cf46141936b9cbee
or
fcc59fb5569112742e83c203f9991251
?
[scratch that] - so panther with all the updates? same here...and my md5sum is neither of those 2.
here's mine...
superfly:~ davidof$ ssh -v localhost
OpenSSH_3.6.1p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL 0x0090702f
superfly:~ davidof$ md5sum /usr/sbin/sshd
571a451853e1feab5c02b29ed45cb307 /usr/sbin/sshd
what makes you think your box was compromised?
andrew davidoff
|
|
|
| |
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Nov 2003
Location: Ithaca, NY
Status:
Offline
|
|
Odd--I haven't found a matching SSH checksum yet with anybody I speak to.
I was suspicious because I have CheckMate installed (it's a prefpane that checks your checksums nightly and complains if they change). I didn't notice it was only logging the errors rather than notifying me (I just got a new comp recently, so I didn't finish perfectly tuning all my settings again as they once were), so I thought maybe I forgot to update the checksums after a system update. Some of these logged warnings went back further than the dates some of the system updates were applied though, and then I happened to notice a handful of SSH scans ("scanned with SSH-1.0-SSH_Version_Mapper. Don't panic"), so I got nervous. Also, for a brief period (perhaps a day or two), the firewall was off (I forgot to re-enable it) despite all of the sharing services still being on. I can't say I have anything else to base my fears on, so I guess it's just paranoia.
Any suggestions? Should I be hurrying to do an OS reinstall (or do I have to completely reformat?)? or am I over-reacting? Anything I should be looking for? I was watching netstat and trying tcpdump, but I suppose that relies on (a) somebody being connected and (b) that those two programs are not compromised.
Thanks
|
myPhoto: all you have to do is plug in your digital camera, import your photos as you normally would into iPhoto, organize them, add whatever captions you want, and voila! Your photos are on your web page! And what did you have to do to put them there? Simply install myPhoto.
|
| |
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Nov 2003
Location: Ithaca, NY
Status:
Offline
|
|
A possible solution (would this work ok?):
Replace all of these files with copies from another machine that has the same updates applied? (I suppose I just need to make sure permissions get set correctly to make sure this all works ok)
|
myPhoto: all you have to do is plug in your digital camera, import your photos as you normally would into iPhoto, organize them, add whatever captions you want, and voila! Your photos are on your web page! And what did you have to do to put them there? Simply install myPhoto.
|
| |
|
|
|
|
|
|
|
Posting Junkie
Join Date: Dec 2000
Status:
Offline
|
|
Actually, I just thought of the probable reason your checksums are changing - prebinding. When update_prebinding gets called on one of these binaries, it is going to change its checksum. Since the prebinding gets run automatically when you launch a binary that's in need of a prebinding update, it may change every so often.
This would also explain why no one has the same checksum for the tool.
If you do feel like replacing the binaries, you can of course use Pacifist to do so. </shameless plug>
|
|
|
| |
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Nov 2003
Location: Ithaca, NY
Status:
Offline
|
|
ah, good call...i feel much less panicked now 
|
myPhoto: all you have to do is plug in your digital camera, import your photos as you normally would into iPhoto, organize them, add whatever captions you want, and voila! Your photos are on your web page! And what did you have to do to put them there? Simply install myPhoto.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
Top