Date: Tue, 24 Jul 2001 15:47:11 -0700 From: Kris Kennaway <kris@obsecurity.org> To: Peter Pentchev <roam@orbitel.bg> Cc: Jon Loeliger <jdl@jdl.com>, security@freebsd.org Subject: Re: Security Check Diffs Question Message-ID: <20010724154711.B36368@xor.obsecurity.org> In-Reply-To: <20010724205228.A16243@ringworld.oblivion.bg>; from roam@orbitel.bg on Tue, Jul 24, 2001 at 08:52:28PM %2B0300 References: <200107241632.LAA05639@chrome.jdl.com> <20010724205228.A16243@ringworld.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
--dc+cDN39EJAMEtIO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jul 24, 2001 at 08:52:28PM +0300, Peter Pentchev wrote: > On Tue, Jul 24, 2001 at 11:32:23AM -0500, Jon Loeliger wrote: > > Hi Folks, > >=20 > > This morning, on a machine that's been up for 33 days, > > I suddenly saw these /etc/security diffs: > >=20 > > <host> setuid diffs: > > 20,22c20,22 > > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/c= hfn > > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/c= hpass > > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/c= hsh > > --- > > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/c= hfn > > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/c= hpass > > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/c= hsh >=20 > This means that there were 6 files hardlinked to inode 8047, now there are > only five. One of the links was removed and probably replaced with somet= hing > else, which cannot point to the same inode. >=20 > > 53,55c53,55 > > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/y= pchfn > > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/y= pchpass > > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/y= pchsh > > --- > > > 8270 -r-sr-xr-x 1 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/y= pchfn > > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/y= pchpass > > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/y= pchsh >=20 > ypchfn changed its inode number, and its link count. This means that > somebody performed an unlink() (delete) on ypchfn, and then created > a new ypchfn with the same size, timestamp, permissions and stuff, > but still a new file - and that's where the hardlink count + inum > tracking of /etc/security kicked in and alerted you. This is a signature I've seen before; chances are someone has gained root on your machine (probably through telnetd) Kris --dc+cDN39EJAMEtIO Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7XfrvWry0BWjoQKURAvJeAKDsCZkpIj6+SPgDlJKLcZcHHXsGQQCfc7uh mPBrUpzcRNEQq2OkAA9sHhg= =jAzX -----END PGP SIGNATURE----- --dc+cDN39EJAMEtIO-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010724154711.B36368>