Forbid user set file mtime in the past

Valeri Galtsev galtsev at
Fri Nov 20 17:39:02 UTC 2015

On Fri, November 20, 2015 11:00 am, Artem Kuchin wrote:
> Hello!
> Is there any way to forbid users to set file modification time in the
> past?
> I am asking because many  php viruses somehow set modification time in
> the past
> and just checking what php files were created/modified for the last n
> hours just does
> not work at all.

I know, this is not an answer to you question. Still, relying on anything
on compromised system for forensics is counter productive. Much better
approach would be to keep checksums (and all from long listing including
inode number) of all files on trusted clean ultimately secure machine.
Another thing one can do is to compare all files with, say, backup on the
time before the moment the bad even happened. No mater what time stamps
are, if files differ from backup, there were modified _after_ that time
point. But again, as always they advise, recovery from compromise begins
with fresh system installation, patching, setting up whatever you choose
for "file integrity" checks...

Just my $0.02


Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247

More information about the freebsd-questions mailing list