Date: Thu, 15 Nov 2001 10:29:01 +0100 From: Tobias Roth <roth@iamexwi.unibe.ch> To: Shaun De Burgh <sdeburgh@rescuegroup.com> Cc: freebsd-security@freebsd.org Subject: Re: Spoofing file information? Message-ID: <20011115102901.A9254@roy.unibe.ch> In-Reply-To: <sbf3ee02.018@mail.rescuegroup.com>; from sdeburgh@rescuegroup.com on Thu, Nov 15, 2001 at 04:31:49PM %2B0800 References: <sbf3ee02.018@mail.rescuegroup.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Even root cannot remount a cd-rom in rw mode ;) But seriously, that depends on the secure level of the system, man init for explanations. On Thu, Nov 15, 2001 at 04:31:49PM +0800, Shaun De Burgh wrote: > if the intruder gained root access to your system, couldnt he remount the file system's in rw mode, and modify the binary, or does freebsd prevent that from occuring. > > >>> Tobias Roth <roth@iamexwi.unibe.ch> 11/15/01 04:24pm >>> > you run a generic kernel, not a customized one? ;) > > no, seriously, you generally check if two files are the same by using an md5 hash or the cksum command. An intruder doesn't 'spoof' file sizes, he replaces binaries such as ls and netstat so they hide his system modifications. > As for file modification dates, man touch. > > So, if you use md5 to compare files, there are those two critera for being sure the your files haven't been tampered with: > > 1. the md5 binary is has not been modified > 2. the checksums you made and to which you are comparing haven't been modified > > you can achieve this for instance by having both the binary and the checksums on a read only medium. > > cheers, Tobe > > > > On Thu, Nov 15, 2001 at 02:37:23PM +0700, Stefan Probst wrote: > > Dear All, > > > > how easy/difficult would it be for an intruder to spoof file modification > > dates and sizes (i.e. the data which show up in an "ls -al")? > > > > I have e.g. in my root directory: > > /kernel (3258128 Nov 20 2000) > > /kernel.GENERIC (3258128 Nov 20 2000) > > Can I trust, that those are identical files (i.e. the kernel is still > > intact), even if somebody intruded? > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- ------------------------------------------------------ Tobias Roth Phone: +41 31 305 96 29 Buchenweg 22 +41 76 345 66 47 3012 Bern email: caffeine@insomniac.ch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011115102901.A9254>