Date: Fri, 06 Nov 1998 09:21:03 -0700 From: Brett Glass <brett@lariat.org> To: tarkhil@synchroline.ru, mwlucas@exceptionet.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: *huge* setuid diffs Message-ID: <4.1.19981106091836.04eb61b0@127.0.0.1> In-Reply-To: <199811061419.RAA01848@enterprise.sl.ru> References: <Your message "Fri, 06 Nov 1998 07:58:31 EST." <199811061258.HAA22049@easeway.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This might be a breakin, but it also might be due to the VM bug that changes file mod dates. (We went to red alert over that one before we found out about it.) This bug shouldn't be allowed to persist, as it causes problems with tripwire, etc. --Brett At 05:19 PM 11/6/98 +0300, Alexander B. Povolotsky wrote: > <199811061258.HAA22049@easeway.com>mwlucas@exceptionet.com writes: >>I just got /etc/security mail from two 2.2.6 servers I administer. The >>setuid diffs list every setuid program on the server as having been removed >>and replaced. >> >>We haven't done a make world. We haven't touched much of anything. >> >>Is this normal, or should I be worried? >*IMMEDIATLY* shut down both server and do not bring them to Internet until >you'll found the reason. > >It is *QUITE* abnormal. I would not call it "exploit", but it is something to >understand at once. > > >Alex. > >-- >Alexander B. Povolotsky, System Administrator > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.1.19981106091836.04eb61b0>