From owner-freebsd-security Wed Aug 5 09:43:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA14623 for freebsd-security-outgoing; Wed, 5 Aug 1998 09:43:45 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org ([206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA14617 for ; Wed, 5 Aug 1998 09:43:42 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id KAA04281; Wed, 5 Aug 1998 10:43:28 -0600 (MDT) Message-Id: <199808051643.KAA04281@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Wed, 05 Aug 1998 10:27:30 -0600 To: security@FreeBSD.ORG From: Brett Glass Subject: Does this mean we have another breakin? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Found this in the security output this morning, after ANOTHER spontaneous crash. setuid diffs: 9c9 < -r-xr-sr-x 2 root tty 225280 Jul 22 02:13:13 1998 /sbin/restore --- > -r-xr-sr-x 2 root tty 225280 Aug 4 15:00:14 1998 /sbin/restore 11c11 < -r-xr-sr-x 2 root tty 225280 Jul 22 02:13:13 1998 /sbin/rrestore --- > -r-xr-sr-x 2 root tty 225280 Aug 4 15:00:14 1998 /sbin/rrestore Does this mean we have intruders? I think I might have *run* restore at that time as root, but didn't think it was self-modifying. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message