Date: Fri, 6 Nov 1998 11:53:47 -0500 From: erics@now.com (Eric Siegerman) To: tarkhil@synchroline.ru Cc: mwlucas@exceptionet.com, freebsd-security@FreeBSD.ORG Subject: Re: *huge* setuid diffs Message-ID: <m0zbp8t-00000zC@baal.now.com> In-Reply-To: <199811061419.RAA01848@enterprise.sl.ru> from "Alexander B. Povolotsky" at Nov 6, 98 09:19:13 am
next in thread | previous in thread | raw e-mail | index | archive | help
Alexander B. Povolotsky wrote:
>
> <199811061258.HAA22049@easeway.com>mwlucas@exceptionet.com writes:
> >I just got /etc/security mail from two 2.2.6 servers I administer. The
> >setuid diffs list every setuid program on the server as having been removed
> >and replaced.
One possibility is that *one* file's size changed by enough to
add or subtract a digit, which caused the two "ls -l" outputs to
have different spacing. A simple "diff" would report all the
lines as having changed.
At some point, /etc/security got smart enough to ignore such
spurious differences. But I can't recall whether this had
happened by 2.2.6.
> It is *QUITE* abnormal. I would not call it "exploit", but it is something to
> understand at once.
It may or may not be abnormal, and it's more or less likely to be
an intrusion -- both depending on your OS version; see above. But
it's absolutely "something to understand at once"!
--
| | /\
|-_|/ > Eric Siegerman, Toronto, Ont. erics@now.com
| | /
The Rock & Roll Baby Theorem:
Syllables(x+"baby") = Syllables("baby"+x) = Syllables(x) + 2
SemanticContent(x+"baby") = SemanticContent("baby"+x) = SemanticContent(x)
- Anonymous
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?m0zbp8t-00000zC>