Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 10 Aug 1995 08:25:52 -0400 (EDT)
From:      John Capo <jc@irbs.com>
To:        mpp@mpp.minn.net (Mike Pritchard)
Cc:        freebsd-hackers@freebsd.org
Subject:   Re: daily insecurity output (fwd)
Message-ID:  <199508101225.IAA06725@irbs.irbs.com>
In-Reply-To: <199508100907.EAA02358@mpp.minn.net> from "Mike Pritchard" at Aug 10, 95 04:07:35 am
next in thread | previous in thread | raw e-mail | index | archive | help 
Mike Pritchard writes:
> 
> I received the following from the security section of my /etc/daily
> report, and I'm not totally sure what to make of it.  My last 
> make world/install was on Jul 13, but I know I did not re-install
> a new /bin/ps today.  However, I did reboot my machine at 18:23 
> at that time to clear up a problem that was causing all of the virtual 
> consoles to be unusable.
> 
> > checking setuid files and devices:
> > mpp setuid/device diffs:
> > 2c2
> > < -r-xr-sr-x  1 bin    kmem       151552 Jul 13 18:04:08 1995 /bin/ps
> > ---
> > > -r-xr-sr-x  1 bin    kmem       151552 Aug  9 18:23:38 1995 /bin/ps
> 
> I think I also located another binary with an odd timestamp,
> but I'll have to look into that some more.  
> 
> Probably the most important fact in all this is that the reboot
> I did at 18:23 was to boot a -current kernel.  Before that
> I was running a kernel that was about 2 - 2.5 weeks behind 
> -current.
> 
> Does anyone have any ideas about this?
> 
> (I'm doing a full security audit as I type this to see if I might
> have had a real breakin)

The date on /bin/df changed on me last week.  I didn't look at the
security mail till several days later.  The new date corresponded
with a full backup of two systems in preperation for Erin, which
never got here.

I supped new sources for df, built it, and it compared OK with
/bin/df.  There was no evidence of an intruder.  An intruder that
is good enough to get root and mess with /bin would also be able
to mung the dates back to match the old binary.

Something's fishy.

John Capo
IRBS Engineering

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199508101225.IAA06725>