Bugtraq mailing list archives

Re: FreeBSD VM gremlin

From: mouse () RODENTS MONTREAL QC CA (der Mouse)
Date: Sat, 19 Sep 1998 03:24:38 -0400

You should have md5 checksums of files that you are concerned
about, as timestamps are useless in the face of a good attacker.

Rubbish!  A checksum doesn't tell me that someone hadn't temporarily
replaced the file and has now put the original back.

Ummm, you still can't tell that for a competant attacker.


Right.  *Nothing* can tell you that, unless you have something like a
disk that can tell you how many times each sector has been written.

A good attacker can set the system time, frob the file, set it back
let time pass and then do the same thing to get the original back.
You'd never know.


Well, setting the time usually leaves *some* traces - log entries,
timestamps on other files touched during that interval, etc.  But if
you have root (necessary to set the time), you can - under most OSes -
modify the file underneath the filesystem, which leaves *no* traces,
short of those (hypothetical, AFAIK) sector write counts.  I've done
this under a SunOS derivative (not for timestamp reasons but rather to
do a one-off modification on a filesystem mounted read-only).

                                        der Mouse

                               mouse () rodents montreal qc ca
                     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

Current thread:

Re: FreeBSD VM gremlin Charles M. Hannum (Sep 18)
- Re: FreeBSD VM gremlin Warner Losh (Sep 18)
  - Re: FreeBSD VM gremlin Harhalakis Stefanos (Sep 19)
- RedHat's RealServer. Jason Aras (Sep 18)
- <Possible follow-ups>
- Re: FreeBSD VM gremlin der Mouse (Sep 19)
- Re: FreeBSD VM gremlin James McParlane (Sep 20)