From owner-freebsd-hackers  Fri Aug  7 23:50:13 1998
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id XAA09120
          for freebsd-hackers-outgoing; Fri, 7 Aug 1998 23:50:13 -0700 (PDT)
          (envelope-from owner-freebsd-hackers@FreeBSD.ORG)
Received: from burka.rdy.com (burka.rdy.com [205.149.163.30])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA09045;
          Fri, 7 Aug 1998 23:50:01 -0700 (PDT)
          (envelope-from dima@burka.rdy.com)
Received: (from dima@localhost)
	by burka.rdy.com (8.8.8/RDY&DVV) id XAA06334;
	Fri, 7 Aug 1998 23:49:35 -0700 (PDT)
Message-Id: <199808080649.XAA06334@burka.rdy.com>
Subject: Re: Does this mean we have another breakin?
In-Reply-To: <199808080641.AAA16434@lariat.lariat.org> from Brett Glass at "Aug 8, 1998  0:40:49 am"
To: brett@lariat.org (Brett Glass)
Date: Fri, 7 Aug 1998 23:49:35 -0700 (PDT)
Cc: dima@best.net, dg@root.com, roberto@keltia.freenix.fr,
        FreeBSD-security@FreeBSD.ORG, hackers@FreeBSD.ORG
X-Class: Fast
Organization: HackerDome
Reply-To: dima@best.net
From: dima@best.net (Dima Ruban)
X-Mailer: ELM [version 2.4ME+ PL43 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Brett Glass writes:
> At 09:03 PM 8/7/98 -0700, Dima Ruban wrote:
>  
> >We usually get this bug once in two weeks. But since file by itself
> >stays the same and machine doesn't crash, fixing/finding the problem
> >wasn't in out TODO list.
> 
> The MD5 of the file stayed the same, and diff reveals no change. But
> we can't turn off the alarm that's triggered by the date change in
> /usr/sbin without potentially missing breakins, so our two new admins 
> are constantly getting scary messages.

I wouldn't even know about this bug, if somebody from my users wouldn't
be checking was changed since the last time he's checked (once a day).
He mentioned, that /usr/bin/du gets changed every once in
a while. That forced me to spend some time monitoring this particular
machine. And I found out that the only thing that was changed, was
modification date on /usr/bin/du. Etc etc etc etc.

The rest you already know.

> 
> --Brett
> 

-- dima

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message