[Cialug] Slight OT: Joomla & Security

Zachary Kotlarek zach at kotlarek.com
Thu May 24 17:29:15 CDT 2012


On May 24, 2012, at 12:25 PM, James Jones wrote:

> The touch utility is often used to create a file or set its time of modification to the time when touch is run, but one of the possible options lets you specify an arbitrary date/time to use. I wouldn't be surprised if malware made a point of noting the timestamp of the original versions of files it mungs and preserving that timestamp in the modified version as part of trying to make things look normal.



Check the inode-changed time (c-time); `touch` and other calls to utimes() always update the inode change time to "now", even if the mtime is a lie.

Also, making the file `immutable` can make it a hassle to change. On linux you can't prevent users with appropriate access from removing that flag, but it will at least break automated attacks/etc. because it makes the file un-writable, un-renamable, un-unlinkable, etc., even by root until the flag is cleared. Just run:
	`chattr +i /path/to/file`
or to clear the flag:
	`chattr -i /path/to/file`

	Zach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2746 bytes
Desc: not available
URL: <http://cialug.org/pipermail/cialug/attachments/20120524/8f1a1cb3/attachment-0001.bin>


More information about the Cialug mailing list