Bugtraq mailing list archives
Re: ISS Internet Scanner Cannot be relied upon for conclusive
From: avalon () COOMBS ANU EDU AU (Darren Reed)
Date: Fri, 12 Feb 1999 23:57:19 +1100
In some mail from David LeBlanc, sie said:
At 07:37 PM 2/10/99 +1100, Darren Reed wrote:In some mail from David LeBlanc, sie said:We check file dates when checking for NT patches, and would catch your example.I don't see how that can be considered "adequate".Because it is going to be accurate on 99+% of NT systems. The file timestamps are all the same when you install a hotfix. If you _really_ want to be sure no one has put trojans on a box, you need to baseline the system (our system scanner does this, as does tripwire, and others).
It's not the trojan's I'm concerned about so much as other timestamp influences which may lead to the result of the test being 'false'. Although NT doesn't come pre-installed with tools such as file(1) or touch(1) (which can easily be used - accidently - by a naive person with root to adjust date/time stamps), it isn't without the means to change time stamps by accident. Using timestamps is, IMHO, a "cheap" solution, which if you can get away with it is probably why it has been taken :-) Darren
Current thread:
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Chris Brenton (Feb 08)
- FakeBo 0.3.1 & nmap Michael (Feb 08)
- Spoofed Yahoo web site - www.yaho.co.uk Paul Murphy (Feb 08)
- Re: Spoofed Yahoo web site - www.yaho.co.uk Paul McGovern (Feb 09)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Christopher Masto (Feb 08)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive David LeBlanc (Feb 09)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Darren Reed (Feb 10)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive David LeBlanc (Feb 10)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Darren Reed (Feb 12)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Darren Reed (Feb 10)
- NetApp Filer software versions 5.x: potential hardware killer Jason Downs (Feb 10)
- Netect Advisory: palmetto.ftpd - remote root overflow Jordan Ritter (Feb 09)
- Re: Netect Advisory: palmetto.ftpd - remote root overflow bugtraq mailing list account (Feb 09)
- <Possible follow-ups>
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Mr. joej (Feb 08)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive David LeBlanc (Feb 09)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Casper Dik (Feb 09)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive David LeBlanc (Feb 10)
- sl0scan (ambiguous source portscanner) miff (Feb 09)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive David LeBlanc (Feb 09)