Date: Fri, 6 Nov 1998 11:53:47 -0500 From: erics@now.com (Eric Siegerman) To: tarkhil@synchroline.ru Cc: mwlucas@exceptionet.com, freebsd-security@FreeBSD.ORG Subject: Re: *huge* setuid diffs Message-ID: <m0zbp8t-00000zC@baal.now.com> In-Reply-To: <199811061419.RAA01848@enterprise.sl.ru> from "Alexander B. Povolotsky" at Nov 6, 98 09:19:13 am
next in thread | previous in thread | raw e-mail | index | archive | help
Alexander B. Povolotsky wrote: > > <199811061258.HAA22049@easeway.com>mwlucas@exceptionet.com writes: > >I just got /etc/security mail from two 2.2.6 servers I administer. The > >setuid diffs list every setuid program on the server as having been removed > >and replaced. One possibility is that *one* file's size changed by enough to add or subtract a digit, which caused the two "ls -l" outputs to have different spacing. A simple "diff" would report all the lines as having changed. At some point, /etc/security got smart enough to ignore such spurious differences. But I can't recall whether this had happened by 2.2.6. > It is *QUITE* abnormal. I would not call it "exploit", but it is something to > understand at once. It may or may not be abnormal, and it's more or less likely to be an intrusion -- both depending on your OS version; see above. But it's absolutely "something to understand at once"! -- | | /\ |-_|/ > Eric Siegerman, Toronto, Ont. erics@now.com | | / The Rock & Roll Baby Theorem: Syllables(x+"baby") = Syllables("baby"+x) = Syllables(x) + 2 SemanticContent(x+"baby") = SemanticContent("baby"+x) = SemanticContent(x) - Anonymous To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?m0zbp8t-00000zC>