md5 hashes...

Support for security such as Firewalls and securing linux
Post Reply
surfside
Posts: 1
Joined: 2014/09/30 23:45:33

md5 hashes...

Post by surfside » 2014/10/01 00:14:44

Hello.

I am running 5.11 with all current patches applied.
I am assessing the status of a /bin directory that I believe may have been compromised as a result of the recent bash vulnerability.

I've mounted a snapshot of / from a snapshot taken a short time ago.
A recursive diff reveals that a number of executables under /bin differ, although the size, timestamps and versions appear to be identical.
The files do in fact differ, and in what appears to be a consistent manner.

Updates were applied three times during between the time of the snapshot and the current state, so that may play into things - but I suspect not. Except for bash, these are all much older files than those on the snapshot.

Anyway, as an example, the md5sum for /bin/traceroute on the snapshot is this:
2eed1d18c8cb30e3026425ce9c737fb5

and on the current /bin, it's this:
441b7de5fd0ab4d160757f4c537756a4

Both are dated Feb 22 2012, and both show a size of 37264. Both report being the same release:
Modern traceroute for Linux, version 2.0.1, Apr 28 2011
Copyright (c) 2006 Dmitry Butskoy, License: GPL
Additionally, when extracting the strings from the binaries into text files for comparison, they all appear have only one string that differs consistently:
1a2
> isRq

This is right at the top of the file with extracted strings.
All told, there are 83 files in /bin that differ. I tested several and they appear to vary in precisely the same manner as trace route.

Would someone be so kind as to provide current checksums from a 5.11 release for the files in your /bin?
That would really help to nail down the situation.

Thanks.

gerald_clark
Posts: 10642
Joined: 2005/08/05 15:19:54
Location: Northern Illinois, USA

Re: md5 hashes...

Post by gerald_clark » 2014/10/01 02:18:14

If you have been compromised, you need to reinstall from scratch.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: md5 hashes...

Post by TrevorH » 2014/10/01 02:29:04

Also note that prelink can change the md5sums of executables and give false alarms for events like this.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

gulikoza
Posts: 188
Joined: 2007/05/06 20:15:23

Re: md5 hashes...

Post by gulikoza » 2014/10/01 05:15:28

You can use `prelink -y --md5 /bin/bash` to check md5sum before prelinking. If you compare that with the snapshot copy (also with prelink -y...), it should be the same...

Post Reply