[9533] in bugtraq
Re: ISS Internet Scanner Cannot be relied upon for conclusive
daemon@ATHENA.MIT.EDU (Darren Reed)
Fri Feb 12 21:28:06 1999
Date: Fri, 12 Feb 1999 23:57:19 +1100
Reply-To: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
From: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
X-To: dleblanc@MINDSPRING.COM
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <3.0.3.32.19990210104732.00cf0950@mail.mindspring.com> from
"David LeBlanc" at Feb 10, 99 10:47:32 am
In some mail from David LeBlanc, sie said:
>
> At 07:37 PM 2/10/99 +1100, Darren Reed wrote:
> >In some mail from David LeBlanc, sie said:
>
> >> We check file dates when checking for NT patches, and would catch your
> >> example.
>
> >I don't see how that can be considered "adequate".
>
> Because it is going to be accurate on 99+% of NT systems. The file
> timestamps are all the same when you install a hotfix. If you _really_
> want to be sure no one has put trojans on a box, you need to baseline the
> system (our system scanner does this, as does tripwire, and others).
It's not the trojan's I'm concerned about so much as other timestamp
influences which may lead to the result of the test being 'false'.
Although NT doesn't come pre-installed with tools such as file(1) or
touch(1) (which can easily be used - accidently - by a naive person
with root to adjust date/time stamps), it isn't without the means to
change time stamps by accident.
Using timestamps is, IMHO, a "cheap" solution, which if you can get away
with it is probably why it has been taken :-)
Darren
