Forbid user set file mtime in the past
Valeri Galtsev
galtsev at kicp.uchicago.edu
Fri Nov 20 17:39:02 UTC 2015
On Fri, November 20, 2015 11:00 am, Artem Kuchin wrote:
> Hello!
>
>
> Is there any way to forbid users to set file modification time in the
> past?
>
> I am asking because many php viruses somehow set modification time in
> the past
> and just checking what php files were created/modified for the last n
> hours just does
> not work at all.
>
I know, this is not an answer to you question. Still, relying on anything
on compromised system for forensics is counter productive. Much better
approach would be to keep checksums (and all from long listing including
inode number) of all files on trusted clean ultimately secure machine.
Another thing one can do is to compare all files with, say, backup on the
time before the moment the bad even happened. No mater what time stamps
are, if files differ from backup, there were modified _after_ that time
point. But again, as always they advise, recovery from compromise begins
with fresh system installation, patching, setting up whatever you choose
for "file integrity" checks...
Just my $0.02
Valeri
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
More information about the freebsd-questions
mailing list