Firewall Wizards mailing list archives
Re: FW: OK, I've been hacked, now what?
From: Lance Spitzner <spitzner () dimension net>
Date: Thu, 13 May 1999 17:21:22 -0400 (EDT)
On Wed, 12 May 1999 kevin.sheldrake () baedsl co uk wrote:
I assume that Tripwire tracks changes to files. How does it distinguish between normal, everyday system usage and unauthorised access?
Excellent question. Tripwire gives a great deal of information about a file, it is up to you to decide if those changes were made by your or someonelse. Example, below is the tw output of a file that was altered in a recent compromise. /usr/sbin/rpc.nfsd st_ino: 618645 133212 st_size: 7229 54268 st_mtime: Thu Nov 26 00:02:19 1998 Mon Apr 27 11:11:13 1998 st_ctime: Tue Apr 27 16:58:22 1999 Sun Apr 4 16:48:43 1999 md5 (sig1): 33IMsVA6bepPJa:cJKb2jN 3dMAJZukmzJB.w0LXVQ8G7 snefru (sig2): 0ITeW9EYSbGi9bYUxZ2:tQ 31lWGLQGwh7jAAnu4LEGTs Based on the information above, the file was definitely modfied, not just accessed. Since the admin did not modify nor patch the binary, you know something is up. You can tell the system was modified since there is a change in mtime and the hash signatures snefru and md5. To get a better understanding of what st_ino, st_size, st_mtime, and st_ctime are, do a man on stat(2). Lance Spitzner http://www.enteract.com/~lspitz/papers.html Internetworking & Security Engineer Dimension Enterprises Inc
Current thread:
- RE: OK, I've been hacked, now what?, (continued)
- RE: OK, I've been hacked, now what? sedwards (May 07)
- RE: OK, I've been hacked, now what? Scott, Richard (May 07)
- RE: OK, I've been hacked, now what? Chris Tobkin (May 10)
- RE: OK, I've been hacked, now what? kevin . sheldrake (May 11)
- RE: OK, I've been hacked, now what? dbell (May 12)
- RE: OK, I've been hacked, now what? Peter Mayne (May 12)
- FW: OK, I've been hacked, now what? kevin . sheldrake (May 13)
- Re: FW: OK, I've been hacked, now what? Asmodeus (May 16)
- Re: FW: OK, I've been hacked, now what? Joseph S D Yao (May 16)
- Re: FW: OK, I've been hacked, now what? Crispin Cowan (May 16)
- Re: FW: OK, I've been hacked, now what? Lance Spitzner (May 16)
- Re: FW: OK, I've been hacked, now what? Cohen Liota (May 16)
- Re: FW: OK, I've been hacked, now what? dreamwvr (May 16)