[unisog] odd result from sidekick/sfpC

Peter Ruprecht ruprech at jilau1.Colorado.EDU
Thu Nov 29 17:28:21 GMT 2001


Hi again,

Thanks for several suggestions to compare the files in question with the
data in /var/sadm/install/contents.  In my case, they're the same, so
being hopeful and not very paranoid, I'm going to assume that 


On Tue, 27 Nov 2001, Peter Ruprecht wrote:

> 
> Hi everyone,
> 
> I've recently been playing around with Sun's tools "sidekick.sh" and
> "sfpC.pl", which compare md5 checksums for important system binaries with
> a canonical list in a database at Sun.  Thus, one should be able to find
> any binaries on a machine that have been tampered with.
> 
> Anyway, on all my Solaris 7 and 8 machines, I find positive matches for
> /sbin/su, /usr/bin/date, and /usr/ucb/ps.  (That is, their checksums don't
> match any that Sun has ever distributed.)  Does anyone know whether these
> three tools are not represented properly in Sun's db or whether this is
> the signature of some Trojan/rootkit? 
> 
> By the way, these programs are distributed from http://www.sun.com/security.
> 
> Thanks,
> Pete
> 
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> Peter Ruprecht                  Professional Research Asst. - Computing
> JILA, Room S220                 phone: (303) 492-8255
> University of Colorado-Boulder  fax: (303) 492-5235
> 440 UCB                         email: Peter.Ruprecht at jila.colorado.edu
> Boulder, CO 80309-0440          http://jilawww.colorado.edu/~ruprech
> 




More information about the unisog mailing list