[BlueOnyx:11188] Re: md5sum /sbin/init

Michael Stauber mstauber at blueonyx.it
Thu Aug 16 17:23:01 -05 2012 

Hi Maurice,

> Would someone be so kind to confirm the md5sum I got?
> # md5sum /sbin/init
> bcb520553ed33744fcf097dd5d78d7ad  /sbin/init
> 
> # ls -la /sbin/init
> -rwxr-xr-x 1 root root 149284 Jun 20 18:22 /sbin/init

A good way to check things like this is to verify the RPM database. It
also stores the MD5 sums and timestamps of files contained in an RPM.

With "rpm -Va" you can verify *all* RPMs. Which will produce a list that
will fill several screens and whose analysis usually takes a while.

But you can also use "rpm -V name-of-rpm" to verify just a single RPM
and it's files.

If you are unsure which RPM a certain file belongs to (such as
/sbin/init), then you can also query the RPM database to find that out:

[root at 5107r BlueOnyx]# rpm -q --whatprovides /sbin/init
upstart-0.6.5-12.el6.i686

So this tells us that /sbin/init belongs to the RPM
upstart-0.6.5-12.el6.i686 and not to "initscripts". Yes, on RHEL5 clones
it used to belong to "initscripts", but no longer.

Example for verifying "initscripts" on a 5107R:

[root at 5107r BlueOnyx]# rpm -V initscripts
missing     /etc/init/control-alt-delete.conf
missing     /etc/init/plymouth-shutdown.conf
missing     /etc/init/prefdm.conf
missing     /etc/init/quit-plymouth.conf
S.5....T.    /etc/init/rc.conf
missing     /etc/init/rcS-sulogin.conf
S.5....T.    /etc/init/rcS.conf
missing     /etc/init/serial.conf
missing     /etc/init/start-ttys.conf
missing     /etc/init/tty.conf

This tells me that from the standard "initscripts" RPM on a 5107R a few
files have been removed after installation. Which is normal.

Additionally two files now have a different MD5 checksum and timestamp:

S.5....T.    /etc/init/rc.conf
S.5....T.    /etc/init/rcS.conf

But these are config files which have been modified, so it's OK, too. No
binaries are listed as modified, so it's all good in this case.

But we wanted to verify the integrity of "upstart" and not
"initscripts", so let us check that, too:

[root at 5107r BlueOnyx]# rpm -V upstart
[root at 5107r BlueOnyx]#

There. The prompt returned blank, so my "upstart" on this box has not
been modified at all.

And you can use "rpm -ql name-of-rpm" to check which files belong to an RPM:

[root at 5107r BlueOnyx]# rpm -ql upstart
/etc/dbus-1/system.d/Upstart.conf
/etc/init
/etc/init/init-system-dbus.conf
/sbin/halt
/sbin/init
/sbin/initctl
/sbin/poweroff
/sbin/reboot
/sbin/reload
/sbin/restart
/sbin/runlevel
/sbin/shutdown
/sbin/start
/sbin/status
/sbin/stop
/sbin/telinit
/usr/share/doc/upstart-0.6.5
/usr/share/doc/upstart-0.6.5/AUTHORS
/usr/share/doc/upstart-0.6.5/COPYING
/usr/share/doc/upstart-0.6.5/HACKING
/usr/share/doc/upstart-0.6.5/NEWS
/usr/share/doc/upstart-0.6.5/README
/usr/share/doc/upstart-0.6.5/TODO
/usr/share/locale/en at boldquot/LC_MESSAGES/upstart.mo
/usr/share/locale/en at quot/LC_MESSAGES/upstart.mo
/usr/share/man/man5/init.5.gz
/usr/share/man/man5/inittab.5.gz
/usr/share/man/man7/control-alt-delete.7.gz
/usr/share/man/man7/keyboard-request.7.gz
/usr/share/man/man7/power-status-changed.7.gz
/usr/share/man/man7/runlevel.7.gz
/usr/share/man/man7/started.7.gz
/usr/share/man/man7/starting.7.gz
/usr/share/man/man7/startup.7.gz
/usr/share/man/man7/stopped.7.gz
/usr/share/man/man7/stopping.7.gz
/usr/share/man/man7/upstart.7.gz
/usr/share/man/man8/halt.8.gz
/usr/share/man/man8/init.8.gz
/usr/share/man/man8/initctl.8.gz
/usr/share/man/man8/poweroff.8.gz
/usr/share/man/man8/reboot.8.gz
/usr/share/man/man8/reload.8.gz
/usr/share/man/man8/restart.8.gz
/usr/share/man/man8/runlevel.8.gz
/usr/share/man/man8/shutdown.8.gz
/usr/share/man/man8/start.8.gz
/usr/share/man/man8/status.8.gz
/usr/share/man/man8/stop.8.gz
/usr/share/man/man8/telinit.8.gz

So on an RPM based system the RPM database is really a pretty useful
thing for system diagnostics and (to a certain degree) also for
forensics. The typical intruder doesn't bother with messing with the RPM
database. And he doesn't bother to roll up and to install RPMs with
trojaned binaries inside. Even if he did, this would leave other traces
and hints, as our RPMs are typically GPG signed and have a checksum
themselves. Both will be different from what we expect to see. Even a
wrecked RPM database is no good for the attacker, as it immediately
generates some interesting error messages during the next daily YUM
update. I wouldn't 100% rely on the RPM database as only tool for
forensics, but it's still pretty useful.

Now before someone emails a 100 pages long output of his own "rpm -Va"
to this list and asks if all the modified MD5 sums and missing files are
normal: Yes, even a freshly installed BlueOnyx will have a ton of files
with modified MD5 sums or missing files, because config files got
changed, adjusted and modified, have been removed or got their
permissions and ownerships changed. All of these legitimate changes
result in discrepancies that the RPM database will list in all their glory.

Still, as a rule of the thumb you can say this much: If a binary like
/sbin/init shows a different MD5 sum (and or timestamp) than what the
RPM database has recorded, then this is a red herring and it's a strong
indicator something is fishy.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list