[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [rdiff-backup-users] File change detection using hashes
From: |
Wiebe Cazemier |
Subject: |
Re: [rdiff-backup-users] File change detection using hashes |
Date: |
Sat, 11 Feb 2006 00:21:06 +0100 |
User-agent: |
Mozilla Thunderbird 1.0.7 (X11/20051026) |
(this is a reply to a message sent to me, but not the list. Press
"reply-all", Gregory :) )
On 02/10/06 19:14, Gregory Benjamin wrote:
>A good argument in favor of this is the case where a hacker
>replaces files on a machine with altered ones that have the
>been fixed to appear to have the same mtime and size as the
>original. I've run into this problem a couple of times over
>the last few years. A cracker/script-kiddie gets into the
>machine and installs a "root-kit". This root-kit contains
>scripts and utilities that replace commands like ps, ls,
>login, etc. with altered copies. To cover their tracks, the
>root-kit changes the mtimes of these infected commands to
>match the originals. The sizes are also often adjusted to
>exactly match the original.
>
>Only by computing a md5sum or equivalent is it possible to
>detect that these files ARE NOT the original ones.
>
>- Greg Benjamin
>
Actually, this can be detected, because the ctime has changed. There is
no way an application can set a ctime. Any alteration to the file or
it's metadata results in a new ctime.
But, this is of course not rdiff-backups job, to keep track of. There is
security software which checks for changed ctimes.
signature.asc
Description: OpenPGP digital signature
- [rdiff-backup-users] File change detection using hashes, Wiebe Cazemier, 2006/02/10
- Re: [rdiff-backup-users] File change detection using hashes, Vadim Kouzmine, 2006/02/10
- Re: [rdiff-backup-users] File change detection using hashes, dave kempe, 2006/02/10
- Re: [rdiff-backup-users] File change detection using hashes, Wiebe Cazemier, 2006/02/10
- Re: [rdiff-backup-users] File change detection using hashes, Wiebe Cazemier, 2006/02/13
- Re: [rdiff-backup-users] File change detection using hashes, dave kempe, 2006/02/13
- Re: [rdiff-backup-users] File change detection using hashes, Wiebe Cazemier, 2006/02/13
- Re: [rdiff-backup-users] File change detection using hashes, dean gaudet, 2006/02/15
- Re: [rdiff-backup-users] File change detection using hashes, Wiebe Cazemier, 2006/02/15
Re: [rdiff-backup-users] File change detection using hashes,
Wiebe Cazemier <=