Menu
01101110 01100101 01110100 01110111 01101111 01110010 01101011 01100001 01100100 01101101 01101001 01101110 01110100 01101111 01101111 01101100 01110011 00001101 00001010

Background

Manage Engine

Our readers provide the funding for our platform, and we may receive a commission when you make a purchase using the links on our site.

Using MD5deep To Verify Tree Integrity

/ September 29, 2016 — Security

Average User Rating

    We talked a little about MD5deep in this article. One nice thing about MD5deep is that it can do recursion. This allows you to create a set of MD5 sums for an entire directory. /etc is a good one to use as an example. Let’s create the set of MD5 sums:

    root@srv-1 etc # md5deep -r * > etchashes
md5deep: /etc/X11/xkb: Is a symbolic link
md5deep: /etc/X11/xdm/authdir: Is a symbolic link
md5deep: /etc/X11/rstart/commands/x: Is a symbolic link
md5deep: /etc/X11/rstart/commands/x11: Is a symbolic link
md5deep: /etc/X11/gdm/Sessions: Is a symbolic link
md5deep: /etc/apache2/modules: Is a symbolic link
md5deep: /etc/apache2/lib: Is a symbolic link
md5deep: /etc/apache2/extramodules: Is a symbolic link
md5deep: /etc/apache2/logs: Is a symbolic link
md5deep: /etc/bind/pri: Is a symbolic link
md5deep: /etc/bind/sec: Is a symbolic link
md5deep: make.profile: Is a symbolic link
md5deep: /etc/php/apache2-php4/lib: Is a symbolic link
md5deep: /etc/runlevels/default/fcron: Is a symbolic link
root@srv-1 etc # head etchashes
c02e852ee9abd1a44a09f08a1f4b4ba8  /etc/CORBA/servers/gnomecc.gnorba
6ad4de64bfecc2fd4aba1653d6f6b191  /etc/CORBA/servers/panel.gnorba
fb25aaa5c183eb5908a5251917410299  /etc/CORBA/servers/gnomexmms.gnorba
86080911bc4514d5788ad5a8a47d19e3  /etc/DIR_COLORS
a0ce0f1c8a5771a1194f5895211a3f66  /etc/X11/Sessions/Xsession
effac7a41dd635d5aadb3f0a4e43320a  /etc/X11/Sessions/kde-3.0.4
394b2e1b38f7de34837ef36c869706f6  /etc/X11/Sessions/blackbox
b10dbd1b6388f5fdf9feee0e56525ea5  /etc/X11/Sessions/Gnome
8d4f58fc5ac42867d7cfb4e82f8ff555  /etc/X11/Sessions/icewm
effac7a41dd635d5aadb3f0a4e43320a  /etc/X11/Sessions/kde-3.0.5a

    Let’s verify by using the -x option to show differences:

    root@srv-1 etc # md5deep -x etchashes -r *
md5deep: /etc/X11/xkb: Is a symbolic link
md5deep: /etc/X11/xdm/authdir: Is a symbolic link
md5deep: /etc/X11/rstart/commands/x: Is a symbolic link
md5deep: /etc/X11/rstart/commands/x11: Is a symbolic link
md5deep: /etc/X11/gdm/Sessions: Is a symbolic link
md5deep: /etc/apache2/modules: Is a symbolic link
md5deep: /etc/apache2/lib: Is a symbolic link
md5deep: /etc/apache2/extramodules: Is a symbolic link
md5deep: /etc/apache2/logs: Is a symbolic link
md5deep: /etc/bind/pri: Is a symbolic link
md5deep: /etc/bind/sec: Is a symbolic link
/etc/etchashes
md5deep: make.profile: Is a symbolic link
md5deep: /etc/php/apache2-php4/lib: Is a symbolic link
md5deep: /etc/runlevels/default/fcron: Is a symbolic link

    Well, /etc/etchashes shows up as being different, but that makes sense, since we created it. Let’s test this by editing a file, running the test, changing it back, and running the test again:

    root@srv-1 etc # vi /etc/X11/Sessions/icewm
root@srv-1 etc # md5deep -x etchashes -r *
/etc/X11/Sessions/icewm
md5deep: /etc/X11/xkb: Is a symbolic link
md5deep: /etc/X11/xdm/authdir: Is a symbolic link
md5deep: /etc/X11/rstart/commands/x: Is a symbolic link
md5deep: /etc/X11/rstart/commands/x11: Is a symbolic link
md5deep: /etc/X11/gdm/Sessions: Is a symbolic link
md5deep: /etc/apache2/modules: Is a symbolic link
md5deep: /etc/apache2/lib: Is a symbolic link
md5deep: /etc/apache2/extramodules: Is a symbolic link
md5deep: /etc/apache2/logs: Is a symbolic link
md5deep: /etc/bind/pri: Is a symbolic link
md5deep: /etc/bind/sec: Is a symbolic link
/etc/etchashes
md5deep: make.profile: Is a symbolic link
md5deep: /etc/php/apache2-php4/lib: Is a symbolic link
md5deep: /etc/runlevels/default/fcron: Is a symbolic link
root@srv-1 etc # vi /etc/X11/Sessions/icewm
root@srv-1 etc # md5deep -x etchashes -r *
md5deep: /etc/X11/xkb: Is a symbolic link
md5deep: /etc/X11/xdm/authdir: Is a symbolic link
md5deep: /etc/X11/rstart/commands/x: Is a symbolic link
md5deep: /etc/X11/rstart/commands/x11: Is a symbolic link
md5deep: /etc/X11/gdm/Sessions: Is a symbolic link
md5deep: /etc/apache2/modules: Is a symbolic link
md5deep: /etc/apache2/lib: Is a symbolic link
md5deep: /etc/apache2/extramodules: Is a symbolic link
md5deep: /etc/apache2/logs: Is a symbolic link
md5deep: /etc/bind/pri: Is a symbolic link
md5deep: /etc/bind/sec: Is a symbolic link
/etc/etchashes
md5deep: make.profile: Is a symbolic link
md5deep: /etc/php/apache2-php4/lib: Is a symbolic link
md5deep: /etc/runlevels/default/fcron: Is a symbolic link
root@srv-1 etc #

    Nice! When we change icewm it shows up on the scan. When we change it back, it is not listed. Make sure you save the list of MD5 checksums on a floppy or some place not available to an intruder.

    Information

    About