Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 1 Feb 1996 10:36:26 -0600 (CST)
From:      john@starfire.mn.org
To:        questions@FreeBSD.org (FreeBSD questions)
Subject:   unaccounted-for mtime and ctime changes on SUID root programs
Message-ID:  <199602011636.KAA20578@starfire.mn.org>
next in thread | raw e-mail | index | archive | help 
A few times with FreeBSD 2.0.5 and now twice with FreeBSD 2.1(CD),
the nightly security check has revealed SUID root programs whose
modification times have changed.  I have immediately put in the
backup tapes, pulled down the original files, and compared them.
Every time, they have been identical (which is something of a relief
to know that worms or trojan horses are not being left around), but
I have to wonder how this is happening, and whether it may be an
indication of something sinister but more subtle going on (like someone
changing the programs, doing their mischief, and then changing them
back).

Help?

    From daemon Wed Jan 31 02:02:47 1996
    Received: (from root@localhost)
	    by starfire.mn.org (8.6.12/1.1)  id CAA25289
	    for root; Wed, 31 Jan 1996 02:00:32 -0600
    Date: Wed, 31 Jan 1996 02:00:32 -0600
    From: root@starfire.mn.org
    Message-Id: <199601310800.CAA25289@starfire.mn.org>
    Subject: dexter security check output
    Apparently-To: root@starfire.mn.org
    Status: OR

    checking setuid files and devices:
    dexter setuid/device diffs:
    41c41
    < -r-sr-sr-x  3 root  kmem  180224 Nov 16 03:59:26 1995 /usr/bin/mailq
    ---
    > -r-sr-sr-x  3 root  kmem  180224 Jan 30 03:00:12 1996 /usr/bin/mailq
    45c45
    < -r-sr-sr-x  3 root  kmem  180224 Nov 16 03:59:26 1995 /usr/bin/newaliases
    ---
    > -r-sr-sr-x  3 root  kmem  180224 Jan 30 03:00:12 1996 /usr/bin/newaliases
    126c126
    < -r-sr-sr-x  3 root  kmem   180224 Nov 16 03:59:26 1995 /usr/sbin/sendmail
    ---
    > -r-sr-sr-x  3 root  kmem   180224 Jan 30 03:00:12 1996 /usr/sbin/sendmail


    From daemon Thu Feb  1 02:02:32 1996
    Received: (from root@localhost)
	    by starfire.mn.org (8.6.12/1.1)  id CAA13705
	    for root; Thu, 1 Feb 1996 02:00:24 -0600
    Date: Thu, 1 Feb 1996 02:00:24 -0600
    From: root@starfire.mn.org
    Message-Id: <199602010800.CAA13705@starfire.mn.org>
    Subject: dexter security check output
    Apparently-To: root@starfire.mn.org
    Status: OR

    checking setuid files and devices:
    dexter setuid/device diffs:
    6c6
    < -r-sr-xr-x  1 root   bin        139264 Nov 16 03:50:03 1995 /sbin/mount_msdos
    ---
    > -r-sr-xr-x  1 root   bin        139264 Jan 31 13:05:09 1996 /sbin/mount_msdos

		   John Lind, Starfire Consulting Services
E-mail: john@starfire.MN.ORG		USnail: PO Box 17247, Mpls MN  55417

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199602011636.KAA20578>