Section 19.7 How the File System Can Be Damaged

19.7 How the File System Can Be Damaged

A good and thorough cracker will modify set-UID programs, modify non-set-UID programs that root likely will use, and may even modify the kernel. He also will set the modification times and even the create times of the files back to what they were to hide his work from an ls -l or ls -lc or find / -mtime -10 -print.

Modification time is the time that the contents of the file (the data) last was changed. Create time, a misnomer, is the most recent time that either the file contents or the inode information has changed. Inode information (the I is for information) contains the file's owner, permission, size of the file, time-stamps, location on disk of the data blocks, etc. Access time is the last time that any of the file contents have been read. Writing to the file does not update the access time on Linux (but does on some UNIX systems.)

The Linux kernel updates all times automatically, but a user can change the modification time or access time for his file with the touch command. Create time can only be changed arbitrarily by altering the system's clock or writing to the file system's disk device in /dev. Back in the old days, we did all of these things (but never maliciously). The best crackers will have the hacked programs be the same size as the original and even have the same checksum provided by sum. How do they do that?

If they need to add code somewhere, they may optimize existing code somewhere else. To get the checksum the same, they simply alter the bytes in an unused character string somewhere until sum reports the same value as before. Studying the code in sum will show how the results are sensitive to different changes in the file. Note that the md5sum program is not vulnerable to Trojans having "checksums" matching the original program.

Using Tripwire avoids this problem by using a more sophisticated checksum algorithm. Tripwire would be extremely hard to trip up in this way. Additionally, the md5sum program's message digest, similar to a checksum, is very hard to defeat. This author is not aware of it having been done.