Date: Thu, 15 Nov 2001 16:31:49 +0800 From: "Shaun De Burgh" <sdeburgh@rescuegroup.com> To: <roth@iamexwi.unibe.ch>, <stefan.probst@opticom.v-nam.net> Cc: <freebsd-security@freebsd.org> Subject: Re: Spoofing file information? Message-ID: <sbf3ee02.017@mail.rescuegroup.com>
next in thread | raw e-mail | index | archive | help
if the intruder gained root access to your system, couldnt he remount the file system's in rw mode, and modify the binary, or does freebsd prevent that from occuring. >>> Tobias Roth <roth@iamexwi.unibe.ch> 11/15/01 04:24pm >>> you run a generic kernel, not a customized one? ;) no, seriously, you generally check if two files are the same by using an md5 hash or the cksum command. An intruder doesn't 'spoof' file sizes, he replaces binaries such as ls and netstat so they hide his system modifications. As for file modification dates, man touch. So, if you use md5 to compare files, there are those two critera for being sure the your files haven't been tampered with: 1. the md5 binary is has not been modified 2. the checksums you made and to which you are comparing haven't been modified you can achieve this for instance by having both the binary and the checksums on a read only medium. cheers, Tobe On Thu, Nov 15, 2001 at 02:37:23PM +0700, Stefan Probst wrote: > Dear All, > > how easy/difficult would it be for an intruder to spoof file modification > dates and sizes (i.e. the data which show up in an "ls -al")? > > I have e.g. in my root directory: > /kernel (3258128 Nov 20 2000) > /kernel.GENERIC (3258128 Nov 20 2000) > Can I trust, that those are identical files (i.e. the kernel is still > intact), even if somebody intruded? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?sbf3ee02.017>