From owner-freebsd-questions Thu Aug 8 20:53: 2 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9EB0C37B400 for ; Thu, 8 Aug 2002 20:53:00 -0700 (PDT) Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2036143E5E for ; Thu, 8 Aug 2002 20:53:00 -0700 (PDT) (envelope-from dan@dan.emsphone.com) Received: (from dan@localhost) by dan.emsphone.com (8.12.5/8.12.5) id g793qwJb029001; Thu, 8 Aug 2002 22:52:58 -0500 (CDT) (envelope-from dan) Date: Thu, 8 Aug 2002 22:52:57 -0500 From: Dan Nelson To: Darren Cc: fbsd-questions Subject: Re: strange ls and date commands (innocent or suspicious?) Message-ID: <20020809035257.GB33901@dan.emsphone.com> References: <055301c23f56$d3c5fb20$6401a8c0@crotchett.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <055301c23f56$d3c5fb20$6401a8c0@crotchett.com> X-OS: FreeBSD 5.0-CURRENT X-message-flag: Outlook Error User-Agent: Mutt/1.5.1i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In the last episode (Aug 08), Darren said: > I came across two files "ls" and "date" in an odd place with slightly > different permissions and different groups. I'm running 4.6 with > some stuff backed up from 4.4. It seems that I copied them from my > old box. I don't think this box has been compromised. Nothing other > than port 80 and 25 have ever been open, plus I keep a close watch on > it with aide. It's a new install and I'm keeping it up-to-date. > But, I wonder if my old one was. Do you think these filenames are > suspicious? Do they have logical explanations? > > in /hd2/var/ftp/bin, I have: > ---x--x--x 1 root operator 298904 Jun 16 09:39 ls > ---x--x--x 1 root operator 185792 Jun 16 09:39 date > > in /bin, I have: > -r-xr-xr-x 1 root wheel 298904 Jun 10 23:18 /bin/ls > -r-xr-xr-x 1 root wheel 185792 Jun 10 23:18 /bin/date > > Also, I found this entry in /etc/passwd: > ftp:*:14:5::0:0:Anonymous FTP Admin:/hd2/var/ftp:/nonexistent That entry and the extra bin and ls are for chrooted anonymous FTP access. If you remove the account, you might as well rm -rf /hd2/var/ftp as well. -- Dan Nelson dnelson@allantgroup.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message