Hello, I have a situation where I think someone has edited files they weren't supposed to. The first clue is the files are all renamed with a common pattern, the second thing is that running ls -l on the suspect files now shows a date from 2000, even though this computer has only existed for about 6 months. That makes me nervous. How would someone change the date on a file anyway - with what command? Is there any way for file dates to be changed by accident (the contents of the files look o.k.)? I tried lsattr on them but it appears that lsattr doesn't work on RieserFS. I ran md5sum against the ls, file and md5sum binaries -- it matches the sum of those binaries on another SuSE 7.1 system, but that's not exactly reliable if someone's been messing with stuff (think: root kit. I hope not). What do y'all think? ---------------------------------------------------- Jonathan Wilson System Administrator Cedar Creek Software http://www.cedarcreeksoftware.com Central Texas IT http://www.centraltexasit.com
JW wrote:
Hello,
I have a situation where I think someone has edited files they weren't supposed to.
The first clue is the files are all renamed with a common pattern, the second thing is that running ls -l on the suspect files now shows a date from 2000, even though this computer has only existed for about 6 months.
1st) What is the pattern? 2nd) That could be true if the files were unpacked from a tar or other archive file, and the date stamp from the archive was placed on the system.
That makes me nervous. How would someone change the date on a file anyway - with what command? Is there any way for file dates to be changed by accident (the contents of the files look o.k.)?
touch -d, --date=STRING parse STRING and use it instead of current time
I tried lsattr on them but it appears that lsattr doesn't work on RieserFS.
What information did you need with lsattr?
I ran md5sum against the ls, file and md5sum binaries -- it matches the sum of those binaries on another SuSE 7.1 system, but that's not exactly reliable if someone's been messing with stuff (think: root kit. I hope not).
What do y'all think?
---------------------------------------------------- Jonathan Wilson System Administrator
Cedar Creek Software http://www.cedarcreeksoftware.com Central Texas IT http://www.centraltexasit.com
-- What did the skeleton say to the bartender? I'll have two beers and a mop...
On Wed, Oct 31, 2001 at 05:09:23PM -0600, JW wrote:
Hello,
I have a situation where I think someone has edited files they weren't supposed to.
The first clue is the files are all renamed with a common pattern, the second thing is that running ls -l on the suspect files now shows a date from 2000, even though this computer has only existed for about 6 months.
That makes me nervous. How would someone change the date on a file anyway - with what command? Is there any way for file dates to be changed by accident (the contents of the files look o.k.)?
I think you got the output of some filechecking-utility. It is not the file which has changed, but the output of the ls-command. It shows "Mon DD HH:MM" for files which are younger than 6 months and shows "Mon DD YYYY" for older files. Peter
participants (3)
-
JW
-
Keith Hopkins
-
Peter Wiersig