[3423] in bugtraq
Re: antizap2.
daemon@ATHENA.MIT.EDU (Wolfgang Ley)
Wed Oct 9 15:34:41 1996
Date: Wed, 9 Oct 1996 18:38:00 +0200
Reply-To: Wolfgang Ley <ley@cert.dfn.de>
From: Wolfgang Ley <ley@cert.dfn.de>
X-To: dreamer@garrison.inetcan.net
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <Pine.LNX.3.91.961008223037.15556A-100000@garrison.inetcan.net>
from "Digital Dreamer" at Oct 8, 96 10:31:01 pm
-----BEGIN PGP SIGNED MESSAGE-----
Digital Dreamer wrote:
>
> Here's a little utility I wrote to detect if zap2 has been used on your
> wtmp file. I've tested it on Linux, it works fine on that, and it
> _should_ theoretically work on any other platform that zap2 works on.
> It just searches for null blocks in wtmp. I have another version that
> will intelligently warn about UT_UNKNOWNs, null hostnames, etc, so a
> simple hack to zap2 won't defeat it, but that one isn't complete yet.
> I'll email the url I've put it up at when I complete it. But until then,
> here's az2.c.
There are several problem associated with that kind of tools. In particular
you'll only recognize overwrites by null-bytes. If overwriting is done
clever enough then you can't detect it.
If it is done stupid enough (like zap/zap2) you can also find the
approximate time when the deletion was made and some other information.
For a tool that does this see also "chkwtmp" and perhaps "chklastlog".
The tools are available since 1994. For example from our ftp server:
ftp://ftp.cert.dfn.de/pub/tools/audit/chklastlog/
ftp://ftp.cert.dfn.de/pub/tools/audit/chkwtmp/
Bye,
Wolfgang Ley.
- --
Wolfgang Ley, DFN-CERT, Vogt-Koelln-Str. 30, 22527 Hamburg, Germany
Email: ley@cert.dfn.de Phone: +49 40 5494-2262 Fax: +49 40 5494-2241
PGP-Key available via finger ley@ftp.cert.dfn.de any key-server or via
WWW from http://www.cert.dfn.de/~ley/ ...have a nice day
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
iQCVAwUBMlvU5QQmfXmOCknRAQFBagP/f4g9rhEcHDnVNuZS3p5Ph+OUTd1AEbu9
qk7lbKllk6hJJSqVGYZmaD+IWjjTisOZDbM71ujSwVban9tG2hdfM7UFa9N2xMSH
v1nCdPbwmUUR9fsCQky5UQN7b7tN45V/BAzeMQMHaoj22ruS5vwS0V91p2MS16gb
eRlyxUIPrjA=
=YSFj
-----END PGP SIGNATURE-----
