Monday, July 21, 2014

What time is it ? atime ctime mtime

In  the unix world and with  the  unix find command, you will need to  know how to search for files that are  suspect of being access/readed, modify or created. Knowing the difference of the three time options with the unix find command, can come in handy. These are known as;
  • atime
  • ctime
  • mtime

Take a look at the following find command using "atime" ( access )

The file name ken1 is being  query by the find string to see if it was access within the last 30s. Access can be any thing such as; access via the  vi, file, cat,  head, tail  or  more, etc.... .

You can use a time modifier such as second, minutes or hours. ( s m h ). In  the  next following demo, we are using 1hour,  60minutes or 3600seconds ( all  = 1 hour btw )

note: without a modifier  atime/ctime/mtime uses 1day

Okay now, how about  the - or  + options? This   "-"  simply means within the last time period or with the "+ "  greater than the  specified time period .

Moving on, let's look at ctime.  The ctime is the creation time. We can also use the a time quantifier to look for  creation of files within a specific time or range.

NOTE:  keep in mind a  file creation time is just that, the time it was created. The access time can't be greater than the creation time.

And lastly, the mtime. Is  the time of the file modification. Take these examples;




Okay in  example 3 you will see that by the  meer appending of data to an "existing" file does not change the "access" time. So by me echoing  data into an exiting file doesn't change the access-time, but by echoing data into an existing file, will change the modification time.


The reason & need  for understanding the unix time options, & with the command find is simple;" you need to know the difference with the  inspecting and comparison of files for determining  tampering". This is crictical when you suspect any of the following;

  •    file tampering or modifications
  •    inspection for any compromised file ( rootkits, trojans, etc....)
  •    when conducting forensics or incident handling

Every unix administrator or systems security engineer, should know the difference and understand  these options for the analysis of file creation, access,  or  modifications.

Common clues that you system has been compromised;
  •  utmp/wtmp data is gone
  •  logs are cleared or deleted
  •  the passwd/shadow files are modified or new accounts added or even accounts deleted
  •  crontab entries are changed or delete
  •  the unix utility  lsof shows unknown open file  or unknown services
  •  new daemons are running
  •  process counts are higher than normal
  • the box has been reboot or changed uptime 
  • the file permissions have been changed
  • new files that are hidden
  •  etc....

One last bit of info, it best practice to ensure your unix/linux servers are running a suitable time daemon. It 's also best practice to ensure you know the timezone  that the host is in and to use this TZ information in your collection and reporting.

note: be advise,  as an ethical hacker, I always modify the system time and kill the ntp services to throw off my scent. With out the correct time, it's harder to piecemeal a system breech timeline

The best way to determine your timezone is to use any of the following;

date +%Z



Finally,  for alerting on file changes. It's best to use a tripwire and a rootkit hunter aka rkthunter.

Imho, I think every newly installed systems should have a md5 hash create for all binaries in /usr/bin; /usr/local/bin; etc.....  These hash should be store offline or import into a database. In my experience, one the most common method  a hacker deploys, is to replace known binaries with trojans and to  modify rc.local or linux startup scripts  under /etc/init.d

Ken Felix
Freelance Network/Security Engineer
kfelix  -----a----t---- socpuppets ---dot---com

    ^    ^
=( #  # )=
      /   \

No comments:

Post a Comment