From owner-freebsd-hackers Thu Aug 10 02:07:26 1995 Return-Path: hackers-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id CAA25968 for hackers-outgoing; Thu, 10 Aug 1995 02:07:26 -0700 Received: from mpp.minn.net (mpp.Minn.Net [204.157.201.242]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id CAA25960 for ; Thu, 10 Aug 1995 02:07:23 -0700 Received: (from mpp@localhost) by mpp.minn.net (8.6.11/8.6.9) id EAA02358 for freebsd-hackers@freebsd.org; Thu, 10 Aug 1995 04:07:36 -0500 From: Mike Pritchard Message-Id: <199508100907.EAA02358@mpp.minn.net> Subject: daily insecurity output (fwd) To: freebsd-hackers@freebsd.org Date: Thu, 10 Aug 1995 04:07:35 -0500 (CDT) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1115 Sender: hackers-owner@freebsd.org Precedence: bulk I received the following from the security section of my /etc/daily report, and I'm not totally sure what to make of it. My last make world/install was on Jul 13, but I know I did not re-install a new /bin/ps today. However, I did reboot my machine at 18:23 at that time to clear up a problem that was causing all of the virtual consoles to be unusable. > checking setuid files and devices: > mpp setuid/device diffs: > 2c2 > < -r-xr-sr-x 1 bin kmem 151552 Jul 13 18:04:08 1995 /bin/ps > --- > > -r-xr-sr-x 1 bin kmem 151552 Aug 9 18:23:38 1995 /bin/ps I think I also located another binary with an odd timestamp, but I'll have to look into that some more. Probably the most important fact in all this is that the reboot I did at 18:23 was to boot a -current kernel. Before that I was running a kernel that was about 2 - 2.5 weeks behind -current. Does anyone have any ideas about this? (I'm doing a full security audit as I type this to see if I might have had a real breakin) -- Mike Pritchard mpp@mpp.minn.net "Go that way. Really fast. If something gets in your way, turn"