Page 260

Undergound. Go to Table of Contents.

   him do anything, go anywhere. He could login as any user using the

   master password. Further, when he logged in with the master password,

   he wouldn't show up on any log files--leaving no trail. But the beauty

   of the login patch was that, in every other way, it ran as the normal

   login program. The regular computer users--all three of them--could

   login as usual with their passwords and would never know Anthrax had

   been in the system.


   He thought about ways of setting up his login patch. Installing a

   patch on System X wasn't like mending a pair of jeans. He couldn't

   just slap on a swath from an old bandanna and quick-stitch it in with

   a thread of any colour. It was more like mending an expensive cashmere

   coat. The fabric needed to be a perfect match in colour and texture.

   And because the patch required high-quality invisible mending, the

   size also needed to be just right.


   Every file in a computer system has three dates: the date it was

   created, the date it was last modified and the date it was last

   accessed. The problem was that the login patch needed to have the same

   creation and modification dates as the original login program so that

   it would not raise suspicions. It wasn't hard to get the dates but it

   was difficult to paste them onto the patch. The last access date

   wasn't important as it changed whenever the program was run

   anyway--whenever a user of the System X logged in.


   If Anthrax ripped out the original login program and stitched his

   patch in its place, the patch would be stamped with a new creation

   date. He knew there was no way to change a creation date short of

   changing the clock for the whole system--something which would cause

   problems elsewhere in System X.


   The first thing a good system admin does when he or she suspects a

   break-in is search for all files created or modified over the previous

   few days. One whiff of an intruder and a good admin would be all over

   Anthrax's login patch within about five minutes.


   Anthrax wrote the modification and creation dates down on a bit of

   paper. He would need those in a moment. He also jotted down the size

   of the login file.


   Instead of tearing out the old program and sewing in a completely new

   one, Anthrax decided to overlay his patch by copying it onto the top

   of the old program. He uploaded his own login patch, with his master

   password encased inside it, but he didn't install it yet. His patch

   was called `troj'--short for Trojan. He typed:




   The cat command told the computer: `go get the data in the file called

   "troj" and put it in the file "/bin/login"'. He checked the piece of

   paper where he had scribbled down the original file's creation and

   modification dates, comparing them to the new patch. The creation date

   and size matched the original. The modification date was still wrong,

   but he was two-thirds of the way home.


   Anthrax began to fasten down the final corner of the patch by using a

   little-known feature of the command: