Bugtraq mailing list archives
Re: antizap2.
From: ley () cert dfn de (Wolfgang Ley)
Date: Wed, 9 Oct 1996 18:38:00 +0200
-----BEGIN PGP SIGNED MESSAGE----- Digital Dreamer wrote:
Here's a little utility I wrote to detect if zap2 has been used on your wtmp file. I've tested it on Linux, it works fine on that, and it _should_ theoretically work on any other platform that zap2 works on. It just searches for null blocks in wtmp. I have another version that will intelligently warn about UT_UNKNOWNs, null hostnames, etc, so a simple hack to zap2 won't defeat it, but that one isn't complete yet. I'll email the url I've put it up at when I complete it. But until then, here's az2.c.
There are several problem associated with that kind of tools. In particular you'll only recognize overwrites by null-bytes. If overwriting is done clever enough then you can't detect it. If it is done stupid enough (like zap/zap2) you can also find the approximate time when the deletion was made and some other information. For a tool that does this see also "chkwtmp" and perhaps "chklastlog". The tools are available since 1994. For example from our ftp server: ftp://ftp.cert.dfn.de/pub/tools/audit/chklastlog/ ftp://ftp.cert.dfn.de/pub/tools/audit/chkwtmp/ Bye, Wolfgang Ley. - -- Wolfgang Ley, DFN-CERT, Vogt-Koelln-Str. 30, 22527 Hamburg, Germany Email: ley () cert dfn de Phone: +49 40 5494-2262 Fax: +49 40 5494-2241 PGP-Key available via finger ley () ftp cert dfn de any key-server or via WWW from http://www.cert.dfn.de/~ley/ ...have a nice day -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMlvU5QQmfXmOCknRAQFBagP/f4g9rhEcHDnVNuZS3p5Ph+OUTd1AEbu9 qk7lbKllk6hJJSqVGYZmaD+IWjjTisOZDbM71ujSwVban9tG2hdfM7UFa9N2xMSH v1nCdPbwmUUR9fsCQky5UQN7b7tN45V/BAzeMQMHaoj22ruS5vwS0V91p2MS16gb eRlyxUIPrjA= =YSFj -----END PGP SIGNATURE-----
Current thread:
- antizap2. Digital Dreamer (Oct 08)
- Re: antizap2. Wolfgang Ley (Oct 09)
- novell utility BlackHeart (Oct 09)
- Re: novell utility Bruce M. (Oct 09)
- Re: novell utility Doctor Who (Oct 10)
- Sun Security Bulletin #136 Mark Graff (Oct 10)
- SECURITY HOLE IN AUTHENTICATION FORWARDING Charles M. Hannum (Oct 10)
- Re: SECURITY HOLE IN AUTHENTICATION FORWARDING Tatu Ylonen (Oct 13)
- InterNIC Shenanigans (crypt-pw) Sean B. Hamor (Oct 11)
- Re: InterNIC Shenanigans (crypt-pw) Yiorgos Adamopoulos (Oct 11)
- Re: InterNIC Shenanigans (crypt-pw) Igor Chudov @ home (Oct 11)
- Re: InterNIC Shenanigans (crypt-pw) Steve Reid (Oct 12)