(this is a reply to a message sent to me, but not the list. Press "reply-all", Gregory :) )
On 02/10/06 19:14, Gregory Benjamin wrote: >A good argument in favor of this is the case where a hacker >replaces files on a machine with altered ones that have the >been fixed to appear to have the same mtime and size as the >original. I've run into this problem a couple of times over >the last few years. A cracker/script-kiddie gets into the >machine and installs a "root-kit". This root-kit contains >scripts and utilities that replace commands like ps, ls, >login, etc. with altered copies. To cover their tracks, the >root-kit changes the mtimes of these infected commands to >match the originals. The sizes are also often adjusted to >exactly match the original. > >Only by computing a md5sum or equivalent is it possible to >detect that these files ARE NOT the original ones. > >- Greg Benjamin > Actually, this can be detected, because the ctime has changed. There is no way an application can set a ctime. Any alteration to the file or it's metadata results in a new ctime. But, this is of course not rdiff-backups job, to keep track of. There is security software which checks for changed ctimes.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ rdiff-backup-users mailing list at rdiff-backup-users@nongnu.org http://lists.nongnu.org/mailman/listinfo/rdiff-backup-users Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki
