[olug] Security breach?
topher-olug at zyp.org
Wed Jun 6 22:20:28 UTC 2012
On Wed, Jun 6, 2012 at 3:10 PM, <aric at omahax.com> wrote:
> Is there something that does a hash compare of all the binaries, installed
> packages, etc. and can be ran from removable, bootable media?
There are a handful of bootable distributions setup for that, although
Knoppix can work in a pinch. Google for 'forensic cd' or something
along that lines and you'll find some options.
Additionally, for Debian and debian based systems, there's a tool
called 'debsums' that can check md5 sums of files against the md5
hashes from the Debian package they came from. It is also integrated
in some additional tools, like TIGER.
This kind of thing is typically much easier to detect with
pre-planning, than it is purely after-the-fact. Best practices, never
put anything directly on the live Internet (put it behind a firewall).
If you have to have Internet exposed hosts, make sure they are
properly locked down. Consider using a Host-based IDS or system
integrity check tool (TripWire, AIDE, TIGER, systraq, there are dozens
of them). Each of these tools will continually monitor your system
for specified file changes.
More information about the OLUG