From owner-freebsd-questions Thu Feb 1 08:35:10 1996 Return-Path: owner-questions Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id IAA08431 for questions-outgoing; Thu, 1 Feb 1996 08:35:10 -0800 (PST) Received: from starfire.mn.org (root@starfire.skypoint.net [199.86.32.187]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id IAA08395 for ; Thu, 1 Feb 1996 08:34:52 -0800 (PST) From: john@starfire.mn.org Received: (from john@localhost) by starfire.mn.org (8.6.12/1.1) id KAA20578 for questions@FreeBSD.org; Thu, 1 Feb 1996 10:36:28 -0600 Message-Id: <199602011636.KAA20578@starfire.mn.org> Subject: unaccounted-for mtime and ctime changes on SUID root programs To: questions@FreeBSD.org (FreeBSD questions) Date: Thu, 1 Feb 1996 10:36:26 -0600 (CST) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-questions@FreeBSD.org Precedence: bulk A few times with FreeBSD 2.0.5 and now twice with FreeBSD 2.1(CD), the nightly security check has revealed SUID root programs whose modification times have changed. I have immediately put in the backup tapes, pulled down the original files, and compared them. Every time, they have been identical (which is something of a relief to know that worms or trojan horses are not being left around), but I have to wonder how this is happening, and whether it may be an indication of something sinister but more subtle going on (like someone changing the programs, doing their mischief, and then changing them back). Help? From daemon Wed Jan 31 02:02:47 1996 Received: (from root@localhost) by starfire.mn.org (8.6.12/1.1) id CAA25289 for root; Wed, 31 Jan 1996 02:00:32 -0600 Date: Wed, 31 Jan 1996 02:00:32 -0600 From: root@starfire.mn.org Message-Id: <199601310800.CAA25289@starfire.mn.org> Subject: dexter security check output Apparently-To: root@starfire.mn.org Status: OR checking setuid files and devices: dexter setuid/device diffs: 41c41 < -r-sr-sr-x 3 root kmem 180224 Nov 16 03:59:26 1995 /usr/bin/mailq --- > -r-sr-sr-x 3 root kmem 180224 Jan 30 03:00:12 1996 /usr/bin/mailq 45c45 < -r-sr-sr-x 3 root kmem 180224 Nov 16 03:59:26 1995 /usr/bin/newaliases --- > -r-sr-sr-x 3 root kmem 180224 Jan 30 03:00:12 1996 /usr/bin/newaliases 126c126 < -r-sr-sr-x 3 root kmem 180224 Nov 16 03:59:26 1995 /usr/sbin/sendmail --- > -r-sr-sr-x 3 root kmem 180224 Jan 30 03:00:12 1996 /usr/sbin/sendmail From daemon Thu Feb 1 02:02:32 1996 Received: (from root@localhost) by starfire.mn.org (8.6.12/1.1) id CAA13705 for root; Thu, 1 Feb 1996 02:00:24 -0600 Date: Thu, 1 Feb 1996 02:00:24 -0600 From: root@starfire.mn.org Message-Id: <199602010800.CAA13705@starfire.mn.org> Subject: dexter security check output Apparently-To: root@starfire.mn.org Status: OR checking setuid files and devices: dexter setuid/device diffs: 6c6 < -r-sr-xr-x 1 root bin 139264 Nov 16 03:50:03 1995 /sbin/mount_msdos --- > -r-sr-xr-x 1 root bin 139264 Jan 31 13:05:09 1996 /sbin/mount_msdos John Lind, Starfire Consulting Services E-mail: john@starfire.MN.ORG USnail: PO Box 17247, Mpls MN 55417