Date: Fri, 7 Aug 1998 23:49:35 -0700 (PDT) From: dima@best.net (Dima Ruban) To: brett@lariat.org (Brett Glass) Cc: dima@best.net, dg@root.com, roberto@keltia.freenix.fr, FreeBSD-security@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: Does this mean we have another breakin? Message-ID: <199808080649.XAA06334@burka.rdy.com> In-Reply-To: <199808080641.AAA16434@lariat.lariat.org> from Brett Glass at "Aug 8, 1998 0:40:49 am"
next in thread | previous in thread | raw e-mail | index | archive | help
Brett Glass writes: > At 09:03 PM 8/7/98 -0700, Dima Ruban wrote: > > >We usually get this bug once in two weeks. But since file by itself > >stays the same and machine doesn't crash, fixing/finding the problem > >wasn't in out TODO list. > > The MD5 of the file stayed the same, and diff reveals no change. But > we can't turn off the alarm that's triggered by the date change in > /usr/sbin without potentially missing breakins, so our two new admins > are constantly getting scary messages. I wouldn't even know about this bug, if somebody from my users wouldn't be checking was changed since the last time he's checked (once a day). He mentioned, that /usr/bin/du gets changed every once in a while. That forced me to spend some time monitoring this particular machine. And I found out that the only thing that was changed, was modification date on /usr/bin/du. Etc etc etc etc. The rest you already know. > > --Brett > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199808080649.XAA06334>