From owner-freebsd-security@FreeBSD.ORG Thu Feb 26 20:12:45 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3BE876AC; Thu, 26 Feb 2015 20:12:45 +0000 (UTC) Received: from dhole.grinstead.net (dhole.grinstead.net [IPv6:2a01:4f8:130:44cd::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "", Issuer "Dholes R Us" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id A37B3E79; Thu, 26 Feb 2015 20:12:43 +0000 (UTC) Received: from dhole.grinstead.net (localhost [127.0.0.1]) by dhole.grinstead.net (8.14.9/8.14.9) with ESMTP id t1QKCYa5013159 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 26 Feb 2015 20:12:34 GMT (envelope-from glyn@grinstead.org) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at dhole.grinstead.net Received: (from glyn@localhost) by dhole.grinstead.net (8.14.9/8.14.9/Submit) id t1QKCY3X013158; Thu, 26 Feb 2015 20:12:34 GMT (envelope-from glyn@grinstead.org) Date: Thu, 26 Feb 2015 20:12:34 +0000 From: Glyn Grinstead To: Mark Felder Subject: Re: has my 10.1-RELEASE system been compromised Message-ID: <20150226201234.GA1920@dhole.grinstead.net> Reply-To: Glyn Grinstead References: <864mq9zsmm.fsf@gly.ftfl.ca> <32202C62-3CED-49B6-8259-0B18C52159D1@spam.lifeforms.nl> <1424973772.4085078.232885457.0277C7ED@webmail.messagingengine.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1424973772.4085078.232885457.0277C7ED@webmail.messagingengine.com> User-Agent: Mutt/1.5.23 (2014-03-12) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (dhole.grinstead.net [127.0.0.1]); Thu, 26 Feb 2015 20:12:34 +0000 (GMT) X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED=-1, BAYES_00=-1.9 autolearn=ham autolearn_force=no version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on dhole.grinstead.net Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2015 20:12:45 -0000 On Thu, 26 Feb 2015 at 12:02:52 -0600, Mark Felder wrote: > On Wed, Feb 25, 2015, at 14:19, Walter Hop wrote: > > > > Example: > > # touch -t 201501010000 foo > > # find / -user www -newer foo > > Thanks for posting this trick -- I've never considered it before and > will certainly put it in my toolbox! While Walter is correct to give the universal form, if you know your system supports the -newerXY option you can skip the temporary file and use: # find / -user www -newermt 2015-01-01 Find is fun program to get to grips with to spot odd things going on. There's a tendency to assume you need to know what your looking for in the first place, but you can also tell it to show you things you don't know about: Files with an unknown user or group (tidying up after restoring partially from a backup, or spotting hacks that weren't quite elegant enough): # find / -nouser -o -nogroup I know my $PATH will have executables in it, and some other directories are almost certain to contain executables as well. But where are there executables that aren't in the usual places (maybe hacks, maybe users riding roughshod across the system installing things in strange places to trip people up later when they don't get patched)? # find -E / -type d -regex "`echo $PATH | sed -e \"s/:/\|/g\"`|/usr/libexec|/boot|/usr/src|/usr/local/etc/rc.d|/usr/local/lib|/usr/local/libexec|/usr/ports/.*/work|/usr/obj|/rescue|/etc/rc.d|/etc/periodic|/libexec" -prune -o -type f -perm +111 -print And you can combine them, of course: modified since 1st Jan 2015, a regular file and executable: # find / -newermt 2015-01-01 -type f -perm +111 Glyn. (Something of a fan of find :-)