February 2nd, 2003, 05:16 PM
Retrieving access time information
Well, imagine an attacker manages to break into a server, running linux. He/she uses touch to change the access time of a given file. My question is: is it possible to retrieve the old access time for a file in a ext2 filesystem or ReiserFS? This would give you an idea on when exactly the break-in happened. Ah, and sure: how would it work?
Found in a diary:
\".... and yes, since i am a l337 hax0r, i am also using vi to write this. ^[[D^[[B^ exit ^X^C quit :x :wq dang it :w:w:w :x ^C^C^Z^D\"
February 2nd, 2003, 06:14 PM
Did you make a mirror image of the disk? You don't want to be playing with your original.
A couple wrong moves and you can damage evidence.
I'm not all that good with linux and I'm still learning, but if I wanted to get back the old times/dates, I'd do a restore from an earlier date (to another location as not to overwrite your current files/directories) and compare the files/directories. I'd do this on the newly mirrored drive.
Keep the original in case you really mess up your copy and have to start over.
PS: I've read some really good books involving stuff like this. You might want to check out Incident Response as it has tons of useful info for cases such as this.
is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
February 2nd, 2003, 06:41 PM
Tripwire and AIDE will create images of files and folders that you specify, so you can compare it at later times. Tripwire and AIDE are both IDS, so you can see which file have changed depending on timestamp, size, what has been edited. Also use secheck, it will also tell you which files have been modified along with alot of other usefull information. Also be sure to check your /var/log/messages, aswell as using the "lastlog" command and also the HISTORY list. That will help you determine what has been done. An attacker might scan your system, then wait a week or two before trying to gain access to it. Compare older scans with recent events that seem odd to you. Make sure you have backups, keep checking your /etc/passwd for any users that you have not created yourlself. Do a ps -aux to see if there are any applications running that you dont know what they are or what they do. ALso change all your passwords once in a while. Make sure that you use STRONG passwords. Never rely one one application to tell you what may have happend when. Use as many tools as possible to determine what could have gone wrong. Along with that, disable any system users and services that are not in use. Make sure you dont have any odd entries in /etc/inetd.conf , since there are a number of scripts that give access. Also make sure that inetD is not active (unless you really need it). Also check all the logfiles from each individual service that you offer (httpd logs, ftpd logs, firewall logs, mail logs etc... Try running your services in standalone mode, not using any super daemons. Try running services not as root, but as limited users (ie. the apache server should not be started as root, but as user www. Anyways, after you suspect a break in, the following procedure is essential.
1 - Remove the machine that you belive has been breached from any network,
2 - Compare the system to previos settings (that is if you have used an IDS such as tripwire, AIDE, or snort)
3 - Check all your logfiles.
4 - Check all the user accounts.
5 - Change your passwords.
6 - Use the lastlog command to see which user has last logged in.
7 - The HISTORY command from each user will tell you what commands have been executed.
8 - Make sure that there are no open ports in state LISTEN that you did not manually allow yourself.
9 - use the ps aux to determine what processes are running, and which user has started them.
10 - Check the following files carefully : /etc/inetd.conf, /etc/lilo.conf, /etc/rc.config, /etc/rc.config.d/(firewall files), /etc/rc.d/*, /etc/password, /etc/shadow, /home/user/.hist, etc....
i hope this helps you. Also i recall seeing many threads on AO that handle this issue. Use the search functions to help you locate them. Read the previous threads on this subject, as there is a lot more information provided than i am able to provide.
Good luck to you.
Ubuntu-: Means in African : "Im too dumb to use Slackware"
February 2nd, 2003, 10:55 PM
Thanks a lot for the suggestions. So, it seems that the best way to be sure when the event happened would be to use a lids like tripwire and recover info from it.. I thought there was a tool that would retrieve old access time information (i think i read something about it, but can´t remember too well) just like some tools restore deleted files. Anyway, your ideas seem much more appealing: being prepared to the incident before it occurs. Oh, sorry.. I am not running a server yet.. I´m just damn pretty curious. But I will have fun with it one day..
great suggestions. =]