Thanks for the pointer to www.knowngoods.org. Last year I was thinking of starting up an "MD5 collection project" where people could register MD5 codes (and I guess you have to do SHA-1 codes now) from different operating systems or forensics investigations. The theory was that on a first-pass study of a hard drive, the interesting files are files that have never been seen anywhere else. I had stared on an agent that people could run to report MD5s and so on, but for some reason I never finished the project. If this sounds interesting, I could finish it. On Saturday, January 18, 2003, at 07:12 PM, Chris Reining wrote: > On Fri, Jan 17, 2003 at 03:01:19PM -0800, Mark G. Spencer wrote: >> I'm working on a server that has been "owned" for over a year. >> Needless to >> say, there are a significant number of what I would call >> "questionable" >> files on the box. Some of them I can quickly identify, albeit not >> authoritatively at this point, (e.g. httpodbc.dll), but others I >> cannot. >> >> If I MD5 the collection of questionable files, is there a database I >> can >> cross-reference my MD5's against to authoritatively identify what >> these >> things are? I understand I may end up with some unknowns depending >> on how >> the executables were compressed and/or wrapped. > > The only public repository of md5s I'm aware of is the one at > www.knowngoods.org. Unfortunately for your situation, it only contains > linux, freebsd, macosx, macosx-server, and solaris sums. > <mime-attachment> ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jan 23 2003 - 03:34:57 PST