Date: Sun, 5 May 1996 00:56:03 -0700 (PDT) From: System Administrator <yankee@anna.az.com> To: Brian Wang <brian@mail.vividnet.com> Cc: freebsd-security@freebsd.org Subject: Re: Weird system security output Message-ID: <Pine.BSF.3.91.960505005530.22646A-100000@anna.az.com> In-Reply-To: <Pine.BSF.3.91.960504115115.9617A-100000@taurus.vividnet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I have encounter similar events without any good leads. On Sat, 4 May 1996, Brian Wang wrote: > After searching the mail archives, I found the following posted > question without replies. I'd love some replies though. > > > Subject: unaccounted-for mtime and ctime changes on SUID root programs > > To: questions@FreeBSD.org (FreeBSD questions) > > Date: Thu, 1 Feb 1996 10:36:26 -0600 (CST) > > X-Mailer: ELM [version 2.4 PL25] > > MIME-Version: 1.0 > > Content-Type: text/plain; charset=US-ASCII > > Content-Transfer-Encoding: 7bit > > Sender: owner-questions@FreeBSD.org > > Precedence: bulk > > > > A few times with FreeBSD 2.0.5 and now twice with FreeBSD 2.1(CD), > > the nightly security check has revealed SUID root programs whose > > modification times have changed. I have immediately put in the > > backup tapes, pulled down the original files, and compared them. > > Every time, they have been identical (which is something of a relief > > to know that worms or trojan horses are not being left around), but > > I have to wonder how this is happening, and whether it may be an > > indication of something sinister but more subtle going on (like someone > > changing the programs, doing their mischief, and then changing them > > back). > > Just last night, I'm having the same problem described above again > (It occured couple of times before). Somehow, the date stamp gets altered > for no reason...a compromised system? Again, checking the binary file > from the backup/cdrom yielded nothing. The following is a nightly > security check output from one of our server. Is there a rational > explanation for this? Thanks in advance for any help/answer! > > Date: Sat, 4 May 1996 02:00:03 -0700 (PDT) > From: System Administrator <root@mail.vividnet.com> > Subject: aquarius security check output > > checking setuid files and devices: > aquarius setuid/device diffs: > 1c1 > < -r-xr-sr-x 1 bin operator 65536 Nov 16 01:43:41 1995 /bin/df > --- > > -r-xr-sr-x 1 bin operator 65536 May 3 02:22:47 1996 /bin/df > > Sincerely, > > Brian Wang >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960505005530.22646A-100000>