From owner-freebsd-security@FreeBSD.ORG Thu Feb 26 20:43:25 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 80727465 for ; Thu, 26 Feb 2015 20:43:25 +0000 (UTC) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6B959277 for ; Thu, 26 Feb 2015 20:43:24 +0000 (UTC) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 8748420E45 for ; Thu, 26 Feb 2015 15:43:22 -0500 (EST) Received: from web3 ([10.202.2.213]) by compute3.internal (MEProxy); Thu, 26 Feb 2015 15:43:23 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:x-sasl-enc:from:to:cc :mime-version:content-transfer-encoding:content-type:in-reply-to :references:subject:date; s=smtpout; bh=Xd5zBD8keXeBFL5lxqaA7eF0 Ejc=; b=OKVpxNflHwZgaFS8S4JjIXm9uGjHkgTAW/FlWKXPF0oAkmMstci81xSi GpzjBFzt3qtj+KYLJjWlWtsSsOPyp97+Ugwq4SpqAuqhvr2RO3VhhTtFVhefNoPI eyDDCnR5yRl7b6dSTqxXYiRxAggapcR2QMG/PiTx12krfhlKru0= Received: by web3.nyi.internal (Postfix, from userid 99) id 2A2E1117584; Thu, 26 Feb 2015 15:43:23 -0500 (EST) Message-Id: <1424983403.4117041.232953973.212CCED4@webmail.messagingengine.com> X-Sasl-Enc: bGvHd3piBg+u2BJG+8r4SDYJoAPFiw0B01Zt+S/L7k6R 1424983403 From: Mark Felder To: Glyn Grinstead MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-4ba7306c In-Reply-To: <20150226201234.GA1920@dhole.grinstead.net> References: <864mq9zsmm.fsf@gly.ftfl.ca> <32202C62-3CED-49B6-8259-0B18C52159D1@spam.lifeforms.nl> <1424973772.4085078.232885457.0277C7ED@webmail.messagingengine.com> <20150226201234.GA1920@dhole.grinstead.net> Subject: Re: has my 10.1-RELEASE system been compromised Date: Thu, 26 Feb 2015 14:43:23 -0600 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2015 20:43:25 -0000 On Thu, Feb 26, 2015, at 14:12, Glyn Grinstead wrote: > On Thu, 26 Feb 2015 at 12:02:52 -0600, Mark Felder wrote: > > On Wed, Feb 25, 2015, at 14:19, Walter Hop wrote: > > > > > > Example: > > > # touch -t 201501010000 foo > > > # find / -user www -newer foo > > > > Thanks for posting this trick -- I've never considered it before and > > will certainly put it in my toolbox! > > While Walter is correct to give the universal form, if you know your > system > supports the -newerXY option you can skip the temporary file and use: > > # find / -user www -newermt 2015-01-01 > > Find is fun program to get to grips with to spot odd things going on. > There's a tendency to assume you need to know what your looking for in > the first place, but you can also tell it to show you things you don't > know about: > > Files with an unknown user or group (tidying up after restoring partially > from a backup, or spotting hacks that weren't quite elegant enough): > > # find / -nouser -o -nogroup > > I know my $PATH will have executables in it, and some other directories > are > almost certain to contain executables as well. But where are there > executables that aren't in the usual places (maybe hacks, maybe users > riding > roughshod across the system installing things in strange places to trip > people up later when they don't get patched)? > > # find -E / -type d -regex "`echo $PATH | sed -e > \"s/:/\|/g\"`|/usr/libexec|/boot|/usr/src|/usr/local/etc/rc.d|/usr/local/lib|/usr/local/libexec|/usr/ports/.*/work|/usr/obj|/rescue|/etc/rc.d|/etc/periodic|/libexec" > -prune -o -type f -perm +111 -print > > And you can combine them, of course: modified since 1st Jan 2015, a > regular > file and executable: > > # find / -newermt 2015-01-01 -type f -perm +111 > > Glyn. > (Something of a fan of find :-) Please partner with MW Lucas and write a "find mastery" to document all of these clever uses of find. (I'd read it.)