[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [rdiff-backup-users] File change detection using hashes

From: Wiebe Cazemier
Subject: Re: [rdiff-backup-users] File change detection using hashes
Date: Sat, 11 Feb 2006 00:21:06 +0100
User-agent: Mozilla Thunderbird 1.0.7 (X11/20051026)

(this is a reply to a message sent to me, but not the list. Press
"reply-all", Gregory :) )

On 02/10/06 19:14, Gregory Benjamin wrote:

>A good argument in favor of this is the case where a hacker
>replaces files on a machine with altered ones that have the
>been fixed to appear to have the same mtime and size as the
>original. I've run into this problem a couple of times over
>the last few years. A cracker/script-kiddie gets into the
>machine and installs a "root-kit". This root-kit contains
>scripts and utilities that replace commands like ps, ls,
>login, etc. with altered copies. To cover their tracks, the
>root-kit changes the mtimes of these infected commands to
>match the originals. The sizes are also often adjusted to
>exactly match the original.
>Only by computing a md5sum or equivalent is it possible to
>detect that these files ARE NOT the original ones.
>- Greg Benjamin

Actually, this can be detected, because the ctime has changed. There is
no way an application can set a ctime. Any alteration to the file or
it's metadata results in a new ctime.

But, this is of course not rdiff-backups job, to keep track of. There is
security software which checks for changed ctimes.

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]