[unisog] odd result from sidekick/sfpC
Kevin L Prigge
klp at tc.umn.edu
Wed Nov 28 03:36:36 GMT 2001
On Tue, Nov 27, 2001 at 05:03:53PM -0700, Peter Ruprecht wrote:
> Hi everyone,
> I've recently been playing around with Sun's tools "sidekick.sh" and
> "sfpC.pl", which compare md5 checksums for important system binaries with
> a canonical list in a database at Sun. Thus, one should be able to find
> any binaries on a machine that have been tampered with.
> Anyway, on all my Solaris 7 and 8 machines, I find positive matches for
> /sbin/su, /usr/bin/date, and /usr/ucb/ps. (That is, their checksums don't
> match any that Sun has ever distributed.) Does anyone know whether these
> three tools are not represented properly in Sun's db or whether this is
> the signature of some Trojan/rootkit?
> By the way, these programs are distributed from http://www.sun.com/security.
su and ps are usually replaced by a rootkit. It's curious that those are
the only different binaries, as a full rootkit usually replaces many more
binaries. Also, what are the permissions on /usr/bin/date?
How does the file info on these files match up with /var/sadm/install/contents?
What are the latest patches you have installed for these files, and do
the binaries compare with the binaries in the patches?
Kevin L. Prigge
U of MN, Twin Cities
More information about the unisog