From owner-freebsd-security Thu Nov 15 0:24:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhub.unibe.ch (mailhub.unibe.ch [130.92.9.52]) by hub.freebsd.org (Postfix) with ESMTP id 8C45F37B417 for ; Thu, 15 Nov 2001 00:24:39 -0800 (PST) Received: from CONVERSION-DAEMON by mailhub.unibe.ch (PMDF V5.2-32 #42480) id <0GMU00401210RH@mailhub.unibe.ch> for freebsd-security@freebsd.org; Thu, 15 Nov 2001 09:24:37 +0100 (MET) Received: from iamexwi.unibe.ch (haegar.unibe.ch [130.92.63.4]) by mailhub.unibe.ch (PMDF V5.2-32 #42480) with ESMTP id <0GMU00GG9210AP@mailhub.unibe.ch>; Thu, 15 Nov 2001 09:24:36 +0100 (MET) Received: from roy.unibe.ch (roy [130.92.63.46]) by iamexwi.unibe.ch (8.9.3+Sun/8.8.8) with ESMTP id JAA26635; Thu, 15 Nov 2001 09:24:37 +0100 (MET) Received: (from roth@localhost) by roy.unibe.ch (8.10.2+Sun/8.10.2) id fAF8OXj09136; Thu, 15 Nov 2001 09:24:33 +0100 (MET) Date: Thu, 15 Nov 2001 09:24:33 +0100 From: Tobias Roth Subject: Re: Spoofing file information? In-reply-to: <5.1.0.14.2.20011115143223.04264050@MailServer>; from stefan.probst@opticom.v-nam.net on Thu, Nov 15, 2001 at 02:37:23PM +0700 To: Stefan Probst Cc: freebsd-security@freebsd.org Message-id: <20011115092433.A9120@roy.unibe.ch> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-disposition: inline Content-transfer-encoding: 7BIT User-Agent: Mutt/1.2.5i References: <5.1.0.14.2.20011115143223.04264050@MailServer> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org you run a generic kernel, not a customized one? ;) no, seriously, you generally check if two files are the same by using an md5 hash or the cksum command. An intruder doesn't 'spoof' file sizes, he replaces binaries such as ls and netstat so they hide his system modifications. As for file modification dates, man touch. So, if you use md5 to compare files, there are those two critera for being sure the your files haven't been tampered with: 1. the md5 binary is has not been modified 2. the checksums you made and to which you are comparing haven't been modified you can achieve this for instance by having both the binary and the checksums on a read only medium. cheers, Tobe On Thu, Nov 15, 2001 at 02:37:23PM +0700, Stefan Probst wrote: > Dear All, > > how easy/difficult would it be for an intruder to spoof file modification > dates and sizes (i.e. the data which show up in an "ls -al")? > > I have e.g. in my root directory: > /kernel (3258128 Nov 20 2000) > /kernel.GENERIC (3258128 Nov 20 2000) > Can I trust, that those are identical files (i.e. the kernel is still > intact), even if somebody intruded? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message