[unisog] odd result from sidekick/sfpC

Kevin L Prigge klp at tc.umn.edu
Wed Nov 28 03:36:36 GMT 2001


On Tue, Nov 27, 2001 at 05:03:53PM -0700, Peter Ruprecht wrote:
> 
> Hi everyone,
> 
> I've recently been playing around with Sun's tools "sidekick.sh" and
> "sfpC.pl", which compare md5 checksums for important system binaries with
> a canonical list in a database at Sun.  Thus, one should be able to find
> any binaries on a machine that have been tampered with.
> 
> Anyway, on all my Solaris 7 and 8 machines, I find positive matches for
> /sbin/su, /usr/bin/date, and /usr/ucb/ps.  (That is, their checksums don't
> match any that Sun has ever distributed.)  Does anyone know whether these
> three tools are not represented properly in Sun's db or whether this is
> the signature of some Trojan/rootkit? 
> 
> By the way, these programs are distributed from http://www.sun.com/security.
> 

su and ps are usually replaced by a rootkit.  It's curious that those are
the only different binaries, as a full rootkit usually replaces many more
binaries. Also, what are the permissions on /usr/bin/date?

How does the file info on these files match up with /var/sadm/install/contents?

What are the latest patches you have installed for these files, and do
the binaries compare with the binaries in the patches?

-- 
Kevin L. Prigge      
Internet Services  
U of MN, Twin Cities 



More information about the unisog mailing list