Date: Fri, 20 Nov 2015 11:38:54 -0600 (CST) From: "Valeri Galtsev" <galtsev@kicp.uchicago.edu> To: "Artem Kuchin" <artem@artem.ru> Cc: freebsd-questions@freebsd.org Subject: Re: Forbid user set file mtime in the past Message-ID: <19577.128.135.52.6.1448041134.squirrel@cosmo.uchicago.edu> In-Reply-To: <564F51BD.4080103@artem.ru> References: <564F51BD.4080103@artem.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, November 20, 2015 11:00 am, Artem Kuchin wrote: > Hello! > > > Is there any way to forbid users to set file modification time in the > past? > > I am asking because many php viruses somehow set modification time in > the past > and just checking what php files were created/modified for the last n > hours just does > not work at all. > I know, this is not an answer to you question. Still, relying on anything on compromised system for forensics is counter productive. Much better approach would be to keep checksums (and all from long listing including inode number) of all files on trusted clean ultimately secure machine. Another thing one can do is to compare all files with, say, backup on the time before the moment the bad even happened. No mater what time stamps are, if files differ from backup, there were modified _after_ that time point. But again, as always they advise, recovery from compromise begins with fresh system installation, patching, setting up whatever you choose for "file integrity" checks... Just my $0.02 Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19577.128.135.52.6.1448041134.squirrel>