Every file in a computer system has three dates: the date it was
created, the date it was last modified and the date it was last
accessed. The problem was that the login patch needed to have the same
creation and modification dates as the original login program so that
it would not raise suspicions. It wasn't hard to get the dates but it
was difficult to paste them onto the patch. The last access date
wasn't important as it changed whenever the program was run
anyway--whenever a user of the System X logged in.
If Anthrax ripped out the original login program and stitched his
patch in its place, the patch would be stamped with a new creation
date. He knew there was no way to change a creation date short of
changing the clock for the whole system--something which would cause
problems elsewhere in System X.
The first thing a good system admin does when he or she suspects a
break-in is search for all files created or modified over the previous
few days. One whiff of an intruder and a good admin would be all over
Anthrax's login patch within about five minutes.
Anthrax wrote the modification and creation dates down on a bit of
paper.
Pages:
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632