Re: antizap2.

[ley () cert dfn de (Wolfgang Ley)]

-----BEGIN PGP SIGNED MESSAGE-----

Digital Dreamer wrote:
> Here's a little utility I wrote to detect if zap2 has been used on your
> wtmp file.  I've tested it on Linux, it works fine on that, and it
> _should_ theoretically work on any other platform that zap2 works on.
> It just searches for null blocks in wtmp.  I have another version that
> will intelligently warn about UT_UNKNOWNs, null hostnames, etc, so a
> simple hack to zap2 won't defeat it, but that one isn't complete yet.
> I'll email the url I've put it up at when I complete it.  But until then,
> here's az2.c.

There are several problem associated with that kind of tools. In particular
you'll only recognize overwrites by null-bytes. If overwriting is done
clever enough then you can't detect it.
If it is done stupid enough (like zap/zap2) you can also find the
approximate time when the deletion was made and some other information.
For a tool that does this see also "chkwtmp" and perhaps "chklastlog".

The tools are available since 1994. For example from our ftp server:
ftp://ftp.cert.dfn.de/pub/tools/audit/chklastlog/
ftp://ftp.cert.dfn.de/pub/tools/audit/chkwtmp/

Bye,
  Wolfgang Ley.
- --
Wolfgang Ley, DFN-CERT, Vogt-Koelln-Str. 30, 22527 Hamburg,    Germany
Email: ley () cert dfn de   Phone: +49 40 5494-2262 Fax: +49 40 5494-2241
PGP-Key available via finger ley () ftp cert dfn de any key-server or via
WWW from http://www.cert.dfn.de/~ley/               ...have a nice day

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQCVAwUBMlvU5QQmfXmOCknRAQFBagP/f4g9rhEcHDnVNuZS3p5Ph+OUTd1AEbu9
qk7lbKllk6hJJSqVGYZmaD+IWjjTisOZDbM71ujSwVban9tG2hdfM7UFa9N2xMSH
v1nCdPbwmUUR9fsCQky5UQN7b7tN45V/BAzeMQMHaoj22ruS5vwS0V91p2MS16gb
eRlyxUIPrjA=
=YSFj
-----END PGP SIGNATURE-----