Re: FW: OK, I've been hacked, now what?

[Lance Spitzner <spitzner () dimension net>]

On Wed, 12 May 1999 kevin.sheldrake () baedsl co uk wrote:

> I assume that Tripwire tracks changes to files.  How does it
> distinguish between normal,
> everyday system usage and unauthorised access?  

Excellent question.  Tripwire gives a great deal of information
about a file, it is up to you to decide if those changes were
made by your or someonelse.  Example, below is the tw output of
a file that was altered in a recent compromise.

/usr/sbin/rpc.nfsd
        st_ino: 618645                        133212                        
       st_size: 7229                          54268                         
      st_mtime: Thu Nov 26 00:02:19 1998      Mon Apr 27 11:11:13 1998      
      st_ctime: Tue Apr 27 16:58:22 1999      Sun Apr  4 16:48:43 1999      
    md5 (sig1): 33IMsVA6bepPJa:cJKb2jN        3dMAJZukmzJB.w0LXVQ8G7        
 snefru (sig2): 0ITeW9EYSbGi9bYUxZ2:tQ        31lWGLQGwh7jAAnu4LEGTs

Based on the information above, the file was definitely modfied, not 
just accessed.  Since the admin did not modify nor patch the binary,
you know something is up.  You can tell the system was modified since
there is a change in mtime and the hash signatures snefru and md5.  To
get a better understanding of what st_ino, st_size, st_mtime, and st_ctime are,
do a man on stat(2).

Lance Spitzner
http://www.enteract.com/~lspitz/papers.html
Internetworking & Security Engineer
Dimension Enterprises Inc