From owner-freebsd-current Fri Feb 14 08:38:57 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id IAA14575 for current-outgoing; Fri, 14 Feb 1997 08:38:57 -0800 (PST) Received: from labs.usn.blaze.net.au (labs.usn.blaze.net.au [203.17.53.30]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA14529; Fri, 14 Feb 1997 08:38:30 -0800 (PST) Received: (from davidn@localhost) by labs.usn.blaze.net.au (8.8.5/8.8.5) id DAA20076; Sat, 15 Feb 1997 03:38:12 +1100 (EST) Message-ID: <19970215033810.19932@usn.blaze.net.au> Date: Sat, 15 Feb 1997 03:38:10 +1100 From: David Nugent To: freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: [root@server.blaze.net.au: server security check output] Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.61 Sender: owner-current@freebsd.org X-Loop: FreeBSD.org Precedence: bulk -----Forwarded message from System Administrator ----- ~ server setuid diffs: 25c25 < -r-sr-xr-x 5 root bin 294912 Feb 9 02:17:20 1997 /usr/bin/hoststat --- > -r-sr-xr-x 5 root bin 294912 Feb 15 00:51:48 1997 /usr/bin/hoststat 34c34 < -r-sr-xr-x 5 root bin 294912 Feb 9 02:17:20 1997 /usr/bin/mailq --- > -r-sr-xr-x 5 root bin 294912 Feb 15 00:51:48 1997 /usr/bin/mailq 37c37 < -r-sr-xr-x 5 root bin 294912 Feb 9 02:17:20 1997 /usr/bin/newaliases --- > -r-sr-xr-x 5 root bin 294912 Feb 15 00:51:48 1997 /usr/bin/newaliases 114,115c114,115 < -r-sr-xr-x 5 root bin 294912 Feb 9 02:17:20 1997 /usr/sbin/purgestat < -r-sr-xr-x 5 root bin 294912 Feb 9 02:17:20 1997 /usr/sbin/sendmail --- > -r-sr-xr-x 5 root bin 294912 Feb 15 00:51:48 1997 /usr/sbin/purgestat > -r-sr-xr-x 5 root bin 294912 Feb 15 00:51:48 1997 /usr/sbin/sendmail ~ -----End of forwarded message----- This is the second time I've seen this since I last built world - something has "touched" sendmail. It doesn't appear to have been hacked, and I even checked the md5 against what it was originally when I last installed sendmail and it hasn't changed. But suddenly the file date has been modified, and only a couple of hours ago. This makes me a little nervous. Nothing in any log indicates a problem; in fact, /var/log/maillog shows no activity for a couple of minutes previous to a couple of minutes after the mtime: Feb 15 01:50:10 server sendmail[26963]: BAA26959: to=ronno, ctladdr=root (0/0), delay=00:00:05, xdelay=00:00:00, mailer=local, stat=Sent Feb 15 01:53:32 server sendmail[26258]: BAA26258: from=root, size=2555, class=0, pri=32555, nrcpts=1, msgid=<199702141445.BAA26258@server. blaze.net.au>, relay=root@localhost Anyone else seen this, or might offer a clue as to what is going on? The sendmail executable in /usr/obj seems to not have been touched, nor any of the directories, and it certainly has the original md5 as well. The system is running -current, built from sources ~6th of Feb and (obviously) sendmail 8.8.5. It is a fairly busy mail server and does a fair amount of mail forwarding in addition to handling local users. There is only one event I can find that might explain it, which I just came across. One of our dialup users dialed in and ran sendmail -q, obviously to force queue delivery. In his tcsh .history file I find: Sat Feb 15 00:51:35 1997 sendmail -q Oh well, chflags is good for something. :-) This would appear to be Yet Another Sendmail Bug. Regards, David Nugent - Unique Computing Pty Ltd - Melbourne, Australia Voice +61-3-9791-9547 Data/BBS +61-3-9792-3507 3:632/348@fidonet davidn@freebsd.org davidn@blaze.net.au http://www.blaze.net.au/~davidn/