Re: /bin/login listening?

On Sun, 29 Jul 2007, Tyler Smith wrote:

> On 2007-07-29, Mathias Brodala <info@noctus.net> wrote:
>> This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
>> --------------enig6620D8D79CB50A9B1AFF7AB2
>> Content-Type: text/plain; charset=UTF-8
>> Content-Transfer-Encoding: quoted-printable
>>
>> Hi Douglas.
>>
>> Douglas Allan Tutty, 29.07.2007 18:35:
>>> Boot the box from something like the install CD, go to a shell, mount
>>> your / partition ro, noexec.
>>> =20
>>> I think the install CD has md5sum installed. Run:
>>> #md5sum /bin/login.
>>> =20
>>> On my i386, I get:
>>> =20
>>> 2ee32ff74e474c4d9fc9df6f1460980f /bin/login
>>
>> You should also tell the exact version of the "login" package you are usi=
>> ng.
>> Otherwise this number is useless.
>>
>> With 1:4.0.18.1-11 on i386 I get this:
>>
>>> 004a41bb9196f1888bd89c2245910f46 /bin/login
>>
>
> Which is just what I got too. I found an old Mepis CD, booted into
> that, mounted my / partition, ran md5sum on /bin/login, and out came
> the same answer, for the same version of /bin/login.
>
> So I'm going to proceed as if I've been lucky, have not been
> rootkit-ed, and will continue on with hardening my laptop without
> reinstalling.
>
> Thanks for your help!
>
> Tyler
>

On that note, one thing that you might want to consider as part of the hardening process is to install aide or some other file integrity checker. Using something like that greatly helps in detecting and identifying issues such as this.

-+-
8 out of 10 Owners who Expressed a Preference said Their Cats Preferred Techno.

-- 
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org