From owner-freebsd-security Thu Nov 15 11:14:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from c7.campus.utcluj.ro (c7.campus.utcluj.ro [193.226.6.226]) by hub.freebsd.org (Postfix) with SMTP id E565837B419 for ; Thu, 15 Nov 2001 11:13:54 -0800 (PST) Received: (qmail 24626 invoked by uid 1008); 15 Nov 2001 10:13:51 -0000 Date: Thu, 15 Nov 2001 12:13:51 +0200 From: veedee@c7.campus.utcluj.ro To: cperciva@sfu.ca Cc: Tobias Roth , Stefan Probst , freebsd-security@FreeBSD.ORG Subject: Re: Spoofing file information? Message-ID: <20011115121351.A24535@c7.campus.utcluj.ro> References: <5.1.0.14.2.20011115143223.04264050@MailServer> <5.1.0.14.2.20011115143223.04264050@MailServer> <20011115092433.A9120@roy.unibe.ch> <5.0.2.1.1.20011115083248.0e8cd548@popserver.sfu.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.0.2.1.1.20011115083248.0e8cd548@popserver.sfu.ca>; from colin.percival@wadham.ox.ac.uk on Thu, Nov 15, 2001 at 08:39:41AM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Nov 15, 2001 at 08:39:41AM +0000, Colin Percival wrote: > At 09:24 15/11/2001 +0100, Tobias Roth wrote: > >So, if you use md5 to compare files, there are those two critera for being > >sure the your files haven't been tampered with: > > > >1. the md5 binary is has not been modified > >2. the checksums you made and to which you are comparing haven't been modified > > Don't forget > 3. you're running a kernel which is polite enough to pass the file to md5 > intact > > A compromised kernel can do anything it pleases, including keeping the > original copies of files around and passing them to any integrity-checking > code. > I remember there were some viruses (back in the MS-DOS days) which > operated in this manner. I know, I wrote some of them ;) I'm just taking a wild guess here, but aren't some of you guys getting a little bit paranoid? Next thing you're gonna advise Stefan is that someone flashed some EEPROMs from his hardware that contain some code that activates when blahblah, or simply say "just change the whole fucking thing (eg server)". I know that you can never be 100% sure of something, but one should also take in account the fact that *maybe* his servers are not that important for a hacker, because they do not contain sensitive data *that important* for a certain person so he would have to write all those nasty hacks. And Stefan, if you're really sure that those persons were from Romania, I would take immediate action in tracerouting then e-mailing their ISPs. Some of us are just so anxieous to catch some of these mf*ckers that have nothing better to do that play with others lives, and who, imho, do nothing but make our country really look bad outside our borders. I think that what happened to you, happened to some other thousand people out there. Kids from Romania, having nothing else better to do that hang around all day in "Internet Caffes", looking for *available* servers out there that they can exploit and put their damn IRC scripts there. Ah, by the way, that's what 99% of them do... just install some BNCs or other irc scripts on the targetted machine, then leave it alone, because there's nothing really else that they can use it for. Best regards, Radu Bogdan Rusu (aka veedee) C7 Campus Network System Administrator To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message