Date: Mon, 8 Dec 2003 11:46:26 -0500 (EST) From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu> To: Roger Marquis <marquis@roble.com> Cc: freebsd-security@freebsd.org Subject: Re: possible compromise or just misreading logs Message-ID: <200312081646.hB8GkQIX035167@khavrinen.lcs.mit.edu> In-Reply-To: <20031208160428.DDF8FDAE9A@mx7.roble.com> References: <20031207200130.C4B1216A4E0@hub.freebsd.org> <Pine.GSO.4.58.0312081045300.15156@mail.ilrt.bris.ac.uk> <20031208123501.GA87554@ergo.nruns.com> <20031208160428.DDF8FDAE9A@mx7.roble.com>
next in thread | previous in thread | raw e-mail | index | archive | help
<<On Mon, 8 Dec 2003 08:04:28 -0800 (PST), Roger Marquis <marquis@roble.com> said: > Wouldn't effect tripwire. In addition to MD5 you'd need to spoof > snefru, crc32, crc16, md4, md2, sha, and haval, and you''d have to > spoof them for, at a minimum, the tripwire binary and its database > file(s). Trivial -- all you have to do is keep backup copies of all the files replaced, and have the kernel redirect tripwire's access to the originals. -GAWollman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200312081646.hB8GkQIX035167>