Date: Thu, 15 Nov 2001 16:31:49 +0800 From: "Shaun De Burgh" <sdeburgh@rescuegroup.com> To: <roth@iamexwi.unibe.ch>, <stefan.probst@opticom.v-nam.net> Cc: <freebsd-security@freebsd.org> Subject: Re: Spoofing file information? Message-ID: <sbf3ee02.017@mail.rescuegroup.com>
next in thread | raw e-mail | index | archive | help
if the intruder gained root access to your system, couldnt he remount the = file system's in rw mode, and modify the binary, or does freebsd prevent = that from occuring. >>> Tobias Roth <roth@iamexwi.unibe.ch> 11/15/01 04:24pm >>> you run a generic kernel, not a customized one? ;) no, seriously, you generally check if two files are the same by using an = md5 hash or the cksum command. An intruder doesn't 'spoof' file sizes, he = replaces binaries such as ls and netstat so they hide his system modificati= ons. As for file modification dates, man touch. So, if you use md5 to compare files, there are those two critera for being = sure the your files haven't been tampered with: 1. the md5 binary is has not been modified 2. the checksums you made and to which you are comparing haven't been = modified you can achieve this for instance by having both the binary and the = checksums on a read only medium. cheers, Tobe On Thu, Nov 15, 2001 at 02:37:23PM +0700, Stefan Probst wrote: > Dear All, >=20 > how easy/difficult would it be for an intruder to spoof file modification= =20 > dates and sizes (i.e. the data which show up in an "ls -al")? >=20 > I have e.g. in my root directory: > /kernel (3258128 Nov 20 2000) > /kernel.GENERIC (3258128 Nov 20 2000) > Can I trust, that those are identical files (i.e. the kernel is still=20 > intact), even if somebody intruded? To Unsubscribe: send mail to majordomo@FreeBSD.org=20 with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?sbf3ee02.017>