From owner-freebsd-security Thu Nov 15 0:53:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from dymwsm17.mailwatch.com (dymwsm17.mailwatch.com [204.253.83.165]) by hub.freebsd.org (Postfix) with ESMTP id 75AFC37B405 for ; Thu, 15 Nov 2001 00:53:09 -0800 (PST) Received: from mwsc0210.mw4.mailwatch.com (mwsc0210.mw4.mailwatch.com [204.253.83.228]) by dymwsm17.mailwatch.com (8.11.0/8.11.0) with ESMTP id fAF8TuM24912 for ; Thu, 15 Nov 2001 03:29:56 -0500 Received: from mail pickup service by mwsc0210.mw4.mailwatch.com with Microsoft SMTPSVC; Thu, 15 Nov 2001 03:29:56 -0500 Received: from 204.253.83.39 ([204.253.83.39]) by MWSC0210 with SMTP id 0002000a4a6bfd89-c317-4531-b634-67c95d48a75c; Thu, 15 Nov 2001 03:29:56 -0500 Received: from mail.rescuegroup.com (mail.rescuegroup.com [203.103.84.226]) by dymwsm15.mailwatch.com (8.11.0/8.11.0) with ESMTP id fAF8TsW27757 for ; Thu, 15 Nov 2001 03:29:54 -0500 Received: from iDomain-MTA by mail.rescuegroup.com with Novell_GroupWise; Thu, 15 Nov 2001 16:32:02 +0800 Message-Id: X-Mailer: Novell GroupWise Internet Agent 6.0 Date: Thu, 15 Nov 2001 16:31:49 +0800 From: "Shaun De Burgh" To: , Cc: Subject: Re: Spoofing file information? Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Content-Disposition: inline HOP-COUNT: 1 X-MAILWATCH-INSTANCEID: 0102000a4a6bfd89-c317-4531-b634-67c95d48a75c X-OriginalArrivalTime: 15 Nov 2001 08:29:56.0254 (UTC) FILETIME=[B4C41BE0:01C16DAF] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org if the intruder gained root access to your system, couldnt he remount the = file system's in rw mode, and modify the binary, or does freebsd prevent = that from occuring. >>> Tobias Roth 11/15/01 04:24pm >>> you run a generic kernel, not a customized one? ;) no, seriously, you generally check if two files are the same by using an = md5 hash or the cksum command. An intruder doesn't 'spoof' file sizes, he = replaces binaries such as ls and netstat so they hide his system modificati= ons. As for file modification dates, man touch. So, if you use md5 to compare files, there are those two critera for being = sure the your files haven't been tampered with: 1. the md5 binary is has not been modified 2. the checksums you made and to which you are comparing haven't been = modified you can achieve this for instance by having both the binary and the = checksums on a read only medium. cheers, Tobe On Thu, Nov 15, 2001 at 02:37:23PM +0700, Stefan Probst wrote: > Dear All, >=20 > how easy/difficult would it be for an intruder to spoof file modification= =20 > dates and sizes (i.e. the data which show up in an "ls -al")? >=20 > I have e.g. in my root directory: > /kernel (3258128 Nov 20 2000) > /kernel.GENERIC (3258128 Nov 20 2000) > Can I trust, that those are identical files (i.e. the kernel is still=20 > intact), even if somebody intruded? To Unsubscribe: send mail to majordomo@FreeBSD.org=20 with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message