James wrote:
> Hello,
>
> I was writing a script yesterday that goes and searches popular shell
> locations and within those all shells and reports ls -l output on them.

Google tripwire.

>
> What it produced concerned me. In two locations, the bourne sh has two
> different file sizes.

Could be a problem. Could just be a mess someone made.

>
> Now CERT usually reccommends that you compare the system against known
> media. How exactly is this done?

Frequently via a digest (e.g., sum, md5)

> I have the distribution on CD, and
> have superuser access to the system. My thought was that I'd print the
> output of the script, go to the server room and pull the server down
> into single user mode, mount the CD, and (hopefully I could then) do a
> long listing of the sh binary to see what the actual size was.

The size isn't necessarily a good indicator.

Again, "google tripwire"

> Actually, I thought I would find a way to print the binary sizes on CD,
> so I could just search the entire system for incorrect file sizes.
>
> Problem2: If there is a trojan in the system, what is the most
> effective step by step way to reload the original binaries? I dont
> necessarily want to reinstall the OS, and all backups are now suspect.

If you've been compromised, disconnect the system from the network,
try to find out *how* it was done, re-install the entire system from
media and fix the hole before reconnecting.