| View previous topic :: View next topic |
| Author |
Message |
SpackmanChris
n00b
Joined: 24 Mar 2019
Posts: 7
|
 Posted: Tue Oct 27, 2020 8:59 pm Post subject: [Solved] md5sums don't match-potentially compromised system |
 |
|
I had to send my computer to be repaired. I got it back yesterday, and, being slightly paranoid, I checked my system's important files' checksums with those of a backup made just before sending the computer to be repaired. Most of the md5sums match, but worryingly many files in /lib/security do NOT match.
I booted from an old gentoo livecd and mounted the internal drive and the usb backup drive separately under /mnt/. I ran md5sum on the files on the internal drive, saving the output to a file. I copied the file to the usb drive and checked the sums against the files there. Around 80 failed - not missing or a directory, but md5sum reported "Failed".
I did this for bin/ usr/ lib/ lib64/ and almost all of the other static directories (I didn't check proc or sys, for example). Only these files in /lib/security failed. Only using ext4, no unusual mount tricks or anything like that. Backups were created with rsync -avx to the usb drive. I usually check md5sums in this way a couple times a year. This is the first time any have failed.
The dates displayed by ls -l for the files in each /lib/security are identical, but the sizes are noticeably different.
I assume the computer is compromised, but how can I rule out the possibility that the backup is compromised? I suppose I could mount everything, chroot, and run equery --check, but I don't like the idea of even giving that much power to a potentially compromised system. (I've not booted into the gentoo system since I received the computer back.) Where does portage keep the data to compare against when equery --check is run? Would looking at that data (just in terminal or text editor) allow me to compare without having to chroot into a potentially compromised system?
Is there a good rescue tool that can scan for viruses / rootkits / etc?
Thanks for any help, pointers, or advice.
EDIT: turned out to be user error - my backup of /lib was waaaaay out of date due to the switch to 17.1 profile. Files in sbin, bin, etc, and other system dirs were 100% okay, so confident it was not a system compromise.
_________________
--
Chris Spackman
ESL Coordinator
Linux user since 1998
Linux user #137532
Last edited by SpackmanChris on Wed Oct 28, 2020 10:48 pm; edited 1 time in total |
|
| Back to top |
|
 |
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54834
Location: 56N 3W
|
| Posted: Tue Oct 27, 2020 9:19 pm Post subject: |
|
|
SpackmanChris,
There is no rescue for a compromised system.
You either rebuild it from scratch or reinstall from trusted backups.
Since you can't determine what an attacker has done, you can't clean it up.
There may be something obvious, that you are supposed to find to put your mind at rest and something you don't find.
Anyone with physical access to your system who knows a little gentoo could have updated it. Booting with a liveCD and chrooting will give them root access.
Boot a liveCD and look at the end of /var/log/emerge.log What and when is there?
Is there timestamps when the box was not in your possession?
What of /usr/portage/metadata/timestamp.chk. That's the date and timestamp of your ::gentoo repo,
Lastly, heres my /lib/security and md5sums.
All I have in /lib/security is | Code: | $ ls /lib/security/ -lR
/lib/security/:
total 680
-rwxr-xr-x 1 root root 18480 Sep 4 03:15 pam_access.so
-rwxr-xr-x 1 root root 10224 Oct 13 22:06 pam_cap.so
-rwxr-xr-x 1 root root 10152 Sep 4 03:15 pam_debug.so
-rwxr-xr-x 1 root root 5632 Sep 4 03:15 pam_deny.so
-rwxr-xr-x 1 root root 10128 Sep 4 03:15 pam_echo.so
-rwxr-xr-x 1 root root 14320 Sep 4 03:15 pam_env.so
-rwxr-xr-x 1 root root 14528 Sep 4 03:15 pam_exec.so
-rwxr-xr-x 1 root root 6000 Sep 4 03:15 pam_faildelay.so
-rwxr-xr-x 1 root root 18528 Sep 4 03:15 pam_faillock.so
drwxr-xr-x 2 root root 4096 Sep 4 03:15 pam_filter
-rwxr-xr-x 1 root root 14368 Sep 4 03:15 pam_filter.so
-rwxr-xr-x 1 root root 10112 Sep 4 03:15 pam_ftp.so
-rwxr-xr-x 1 root root 26864 Aug 4 19:11 pam_gnome_keyring.so
-rwxr-xr-x 1 root root 14416 Sep 4 03:15 pam_group.so
-rwxr-xr-x 1 root root 10368 Sep 4 03:15 pam_issue.so
-rwxr-xr-x 1 root root 10144 Sep 4 03:15 pam_keyinit.so
-rwxr-xr-x 1 root root 18512 Sep 4 03:15 pam_lastlog.so
-rwxr-xr-x 1 root root 22712 Sep 4 03:15 pam_limits.so
-rwxr-xr-x 1 root root 10176 Sep 4 03:15 pam_listfile.so
-rwxr-xr-x 1 root root 5984 Sep 4 03:15 pam_localuser.so
-rwxr-xr-x 1 root root 10144 Sep 4 03:15 pam_loginuid.so
-rwxr-xr-x 1 root root 10176 Sep 4 03:15 pam_mail.so
-rwxr-xr-x 1 root root 10144 Sep 4 03:15 pam_mkhomedir.so
-rwxr-xr-x 1 root root 10192 Sep 4 03:15 pam_motd.so
-rwxr-xr-x 1 root root 35264 Sep 4 03:15 pam_namespace.so
-rwxr-xr-x 1 root root 10120 Sep 4 03:15 pam_nologin.so
-rwxr-xr-x 1 root root 14288 Sep 7 20:44 pam_passwdqc.so
-rwxr-xr-x 1 root root 5960 Sep 4 03:15 pam_permit.so
-rwxr-xr-x 1 root root 18624 Sep 4 03:15 pam_pwhistory.so
-rwxr-xr-x 1 root root 10096 Sep 4 03:15 pam_rhosts.so
-rwxr-xr-x 1 root root 5952 Sep 4 03:15 pam_rootok.so
-rwxr-xr-x 1 root root 10168 Sep 4 03:15 pam_securetty.so
-rwxr-xr-x 1 root root 14264 Sep 4 03:15 pam_setquota.so
-rwxr-xr-x 1 root root 6016 Sep 4 03:15 pam_shells.so
-rwxr-xr-x 1 root root 14232 Sep 4 03:15 pam_stress.so
-rwxr-xr-x 1 root root 14320 Sep 4 03:15 pam_succeed_if.so
-rwxr-xr-x 1 root root 14376 Sep 4 03:15 pam_time.so
-rwxr-xr-x 1 root root 18624 Sep 4 03:15 pam_timestamp.so
-rwxr-xr-x 1 root root 10192 Sep 4 03:15 pam_umask.so
-rwxr-xr-x 1 root root 47632 Sep 4 03:15 pam_unix.so
-rwxr-xr-x 1 root root 14320 Sep 4 03:15 pam_userdb.so
-rwxr-xr-x 1 root root 10144 Sep 4 03:15 pam_usertype.so
-rwxr-xr-x 1 root root 5960 Sep 4 03:15 pam_warn.so
-rwxr-xr-x 1 root root 10128 Sep 4 03:15 pam_wheel.so
-rwxr-xr-x 1 root root 18752 Sep 4 03:15 pam_xauth.so
/lib/security/pam_filter:
total 12
-rwxr-xr-x 1 root root 10104 Sep 4 03:15 upperLOWER |
| Code: | $ md5sum /lib/security/*
5ac785cc6f98c61f002d72a2abfa3387 /lib/security/pam_access.so
c98af75a7648f258c024303883597149 /lib/security/pam_cap.so
a610d8380a93990c5801b2e81f734efd /lib/security/pam_debug.so
1f168965a79f6cbd634c0396e6c9e08c /lib/security/pam_deny.so
9d31a37dbbe5e8983168f3fc6425ec3f /lib/security/pam_echo.so
f2877d925befeb7b41cc2b4f81a58ae9 /lib/security/pam_env.so
c15f7c49e45117d434836cf139917b97 /lib/security/pam_exec.so
0345a7f9f454aab203392d9eab2d5da5 /lib/security/pam_faildelay.so
c836da684ddfa53c934046f757964d02 /lib/security/pam_faillock.so
md5sum: /lib/security/pam_filter: Is a directory
51d586cb7f8d78a8d0b018728f70a4a8 /lib/security/pam_filter.so
0469425c80e3bb2534bed7ae704526e9 /lib/security/pam_ftp.so
01e49f9847883af40c1448c008ae38ae /lib/security/pam_gnome_keyring.so
5d3c7e5d6c99ecf7bc9554b402df66d9 /lib/security/pam_group.so
2fa64e6f2574a54ef6a9dfed3b253f2c /lib/security/pam_issue.so
b903aca4b9f2701b2306a1a46ca9ce95 /lib/security/pam_keyinit.so
465ae51493bdbe9ff9757288fc745233 /lib/security/pam_lastlog.so
cd8c7ad5b8a13860503ae64d99671158 /lib/security/pam_limits.so
dcc5ee652a043e874053053a29908646 /lib/security/pam_listfile.so
43c6cb52a30be475df827fd9953f560f /lib/security/pam_localuser.so
8b990abd03e18c655c3e184ce81e13f7 /lib/security/pam_loginuid.so
9a9979962c5ff127b3bfc056f26dc40b /lib/security/pam_mail.so
c917dfc7e6dc764d20bebacca8eda2f6 /lib/security/pam_mkhomedir.so
78ebbea53b5bd372d4b6a5c3ca11e4ac /lib/security/pam_motd.so
e375822701efdc08c3bbbd37d1053a5c /lib/security/pam_namespace.so
69935b1f6b65273619ee75ab40a7ffaf /lib/security/pam_nologin.so
82358b58ae695ef7e66d77b44349d83a /lib/security/pam_passwdqc.so
72fb0f3fd72066c8923ac521ce8e9895 /lib/security/pam_permit.so
deeaebda2dea777fcc4c301d8fb92b7a /lib/security/pam_pwhistory.so
3b696c90a757b44b19d311b36cdff522 /lib/security/pam_rhosts.so
645baa015e0807082616c5e37e1a1f54 /lib/security/pam_rootok.so
06a8bea92541f9b91e8139f108253b6d /lib/security/pam_securetty.so
2f321bdfea9c8b1c085500f5e340ff83 /lib/security/pam_setquota.so
64270e2de826fc95eb9667ce623844dc /lib/security/pam_shells.so
b69b5f44c86cb0934eb338899c62008a /lib/security/pam_stress.so
091188052fe6a12ec5542afbbddc77e2 /lib/security/pam_succeed_if.so
2ccc15435afb12f6d5e94aa9ecea783d /lib/security/pam_time.so
1b51a6f80edd42c4ed85103314278402 /lib/security/pam_timestamp.so
651f42757f9348d77f9bf32e7a8e3ee3 /lib/security/pam_umask.so
c3f06c78220cf8e473afbe1f6d4e045e /lib/security/pam_unix.so
dfb655f3eaf2bd276cd9fa91ce1da10f /lib/security/pam_userdb.so
6969a3c6c1f0eda095b25b1df651003d /lib/security/pam_usertype.so
87cb46fcececd779f6db99f3c3259c96 /lib/security/pam_warn.so
45d251456978262211478f73a834b789 /lib/security/pam_wheel.so
3aabb7e46666a932cfcda10108fe770f /lib/security/pam_xauth.so |
There has been a pam update recently.
Oh, you know that md5sum is hopelessly broken from a security perspective?
Its now trivial to create a payload with any given md5sum you care to name.
That's why md5 is not used in /etc/shadow any longer.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
SpackmanChris
n00b
Joined: 24 Mar 2019
Posts: 7
|
| Posted: Tue Oct 27, 2020 11:05 pm Post subject: |
|
|
Thanks you for the info. Our sums don't match, but my Gentoo hasn't been updated in several weeks, so probably missed any recent updates. Also, would ours match, even if we had the same versions, if we compile with different settings?
The usr/portage/metadata and var/log/emerge.log are fine. they are both at the day that I shipped the computer off - I did an update and backup right before sending it. So, nothing suspicious there. Although, as you say, who knows?
I am confused now, though, because:
* on the computer, lib is its own dir, but it is full of 32-bit files (probably put there by the repair people because ???)
* on the computer, there is no lib32 dir
* on the backup, lib is a symlink to lib64
* on the backup, there is a lib32 dir
I installed Gentoo on this computer about a year and some months ago (and been using Gentoo for many years), but I think I've kept up with any layout changes that mattered. Are we supposed to have lib -> lib64 and a lib32 dir? If yes, I'm just going to restore from backup and stop worrying about it.
And, yeah, I was aware that md5sum is obsolete. I just started with that because I was in a hurry (even though it probably didn't actually save that much time). I didn't realize it was trivial to spoof it now, though.
Thanks for your help!
_________________
--
Chris Spackman
ESL Coordinator
Linux user since 1998
Linux user #137532 |
|
| Back to top |
|
|
SpackmanChris
n00b
Joined: 24 Mar 2019
Posts: 7
|
| Posted: Tue Oct 27, 2020 11:59 pm Post subject: |
|
|
Okay, with a little more research, it seems that maybe the lib and lib64 dirs on the internal drive are correct and the backup is a bit mixed up?
If that is correct, it may be because rsync never got rid of the lib -> lib64 symlink? And in all the output of rsync, I could have missed it complaining about lib32 not existing?
I'm going to grep on the backup for the sha512 sums of the files in lib on the internal drive.
All other sha512sums for files from boot, bin, sbin, opt, etc, and most of usr matched (too many files!), so I'm thinking it is likely not compromised, but perhaps my error. If I find all the sha512sums from lib files in other places in lib / lib32 / lib 64 in the backup, it will be pretty well confirmed. If so, another example of needing to be careful and always check your backups.
Of course, this is assuming that the current Gentoo standard is lib as a real dir and lib64 as a real dir, and no lib32 anymore.
_________________
--
Chris Spackman
ESL Coordinator
Linux user since 1998
Linux user #137532 |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54834
Location: 56N 3W
|
| Posted: Wed Oct 28, 2020 12:10 am Post subject: |
|
|
SpackmanChris,
Different USE settings, different CFLAGS, different versions of gcc and other things will affect the md5sums.
Do not just change the /lib /lib64 whatever settings lightly.
The /17.0/ to /17.1/ profile change changes these settings. It also needs all your 32 bit code rebuilt.
Did you do the profile update after the backup?
Compare the output of | Code: | | readlink /etc/portage/make.profile |
on the 'live' system and the backup.
Read the news item too.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
SpackmanChris
n00b
Joined: 24 Mar 2019
Posts: 7
|
| Posted: Wed Oct 28, 2020 11:38 am Post subject: |
|
|
I've not done anything with the /lib and /lib64 on either the internal drive or the backup.
I did do the switch to the 17.1 profile and new lib layout - I don't remember exactly, but soon-ish after it came out.
I reread the news item - if I'm understanding correctly, my system should have only /lib (NOT a symlink) and /lib64. This makes me think those parts of the backup were not correctly updated after the 17.1 switch.
When I tested the backup, I usually just checked bin, boot, etc, sbin, maybe usr/sbin, so I could have missed the lib confusion.
So, I think the most likely explanation is that the lib part of the backup was messed up and there is no problem with the internal drive. If I can find the files from internal lib on the backup (but in the old / wrong location), that would be strong confirmation that nothing had been tampered with on the internal drive.
Thanks for your help.
_________________
--
Chris Spackman
ESL Coordinator
Linux user since 1998
Linux user #137532 |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
