Hacked ? who, uptime, w ?

Use the pkgchk command for this type of stuff.

If you are only interested in if the file has a problem:

$ pkgchk -p /usr/bin/w

If the file matches what is in /var/sadm/install/contents, the pkgchk command will simply return to a command prompt. If there is a problem with the file, you'll get something back like this (I messed up my /usr/local/bin/egrep command on purpose to get this output):

$ pkgchk -p /usr/local/bin/egrep

ERROR: /usr/local/bin/egrep

permissions <0755> expected <0644> actual

group name <bin> expected <other> actual

owner name <bin> expected <root> actual

file size <34> expected <0> actual

file cksum <2351> expected <0> actual

To igure out which package these files came from and what the "expected" value for things is, e.g. size, checksum of contents, file owner, etc..

pkgchk -l -p /usr/bin/who

Pathname: /usr/bin/who

Type: regular file

Expected mode: 0555

Expected owner: root

Expected group: bin

Expected file size (bytes): 13080

Expected sum(1) of contents: 31735

Expected last modification: Jan 05 18:25:57 2000

Referenced by the following packages:

SUNWcsu

Current status: installed

This tells you what package this file came from and the expected value for various things. It doesn't do any checking of the expected values against the real file.

Of course, if you are REALLY suspect of a machine, your really can't trust /var/sadm/install/contents. Its not hard to vi the file and modify it to match what you hacked.

Another more painful way is to take a patch audit of the system and figure out if the files were modified by a recent patch. Hopefully one still on Sunsolve. Compare the command binary image in the patch with what is on the system. Hopefully they match.

swoneill at 2007-7-5 18:08:32 >