Date: Thu, 15 Nov 2001 09:24:33 +0100 From: Tobias Roth <roth@iamexwi.unibe.ch> To: Stefan Probst <stefan.probst@opticom.v-nam.net> Cc: freebsd-security@freebsd.org Subject: Re: Spoofing file information? Message-ID: <20011115092433.A9120@roy.unibe.ch> In-Reply-To: <5.1.0.14.2.20011115143223.04264050@MailServer>; from stefan.probst@opticom.v-nam.net on Thu, Nov 15, 2001 at 02:37:23PM %2B0700 References: <5.1.0.14.2.20011115143223.04264050@MailServer>
next in thread | previous in thread | raw e-mail | index | archive | help
you run a generic kernel, not a customized one? ;) no, seriously, you generally check if two files are the same by using an md5 hash or the cksum command. An intruder doesn't 'spoof' file sizes, he replaces binaries such as ls and netstat so they hide his system modifications. As for file modification dates, man touch. So, if you use md5 to compare files, there are those two critera for being sure the your files haven't been tampered with: 1. the md5 binary is has not been modified 2. the checksums you made and to which you are comparing haven't been modified you can achieve this for instance by having both the binary and the checksums on a read only medium. cheers, Tobe On Thu, Nov 15, 2001 at 02:37:23PM +0700, Stefan Probst wrote: > Dear All, > > how easy/difficult would it be for an intruder to spoof file modification > dates and sizes (i.e. the data which show up in an "ls -al")? > > I have e.g. in my root directory: > /kernel (3258128 Nov 20 2000) > /kernel.GENERIC (3258128 Nov 20 2000) > Can I trust, that those are identical files (i.e. the kernel is still > intact), even if somebody intruded? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011115092433.A9120>