Date: Thu, 07 Aug 2014 07:26:33 +0200 From: "Kenneth Bernholm" <kenneth@bernholm.dk> To: freebsd-questions@freebsd.org Subject: Investigating passwd, group and setuid diffs in status mails Message-ID: <3651ef748410db561b04fe10796b8e65@bernholm.dk>
next in thread | raw e-mail | index | archive | help
I have found a couple of worrying messages in the FreeBSD (10) status =
mails and I'm not sure how to interpret the information. Both mails came =
in a 03:11 last night where I for the first time had left my workstation =
(zork) on. I have other FreeBSD 10 machines (servers) in the same LAN =
which are always on and they've reported nothing.
Below is the daily run output mail. I'm worried about the passwd and group =
diffs as I have not changed any groups or passwords for a while. My =
questions is: how do I investigate these diffs properly and are there any =
obvious explanations or reasons that I should know about?
Removing stale files from /var/preserve: Cleaning out old system =
announcements: Removing stale files from /var/rwho: Backup passwd and =
group files: zork passwd diffs: 34a35 > =
logcheck:(password):915:915::0:0:Logcheck system =
account:/var/lib/logcheck:/usr/local/bin/bashzork group diffs: 41a42,43 > =
ssmtp:*:916:> logcheck:*:915:Verifying group file syntax: /etc/group is =
fine Backing up mail aliases: Disk status: Filesystem Size Used =
Avail Capacity Mounted on /dev/ada0p2 140G 25G 105G 19% / =
devfs 1.0K 1.0K 0B 100% /dev /dev/da0p1 451G =
22G 393G 5% /usbdisk Network interface status: Name Mtu =
Network Address Ipkts Ierrs Idrop Opkts Oerrs Coll =
Drop em0 1500 <Link#1> 90:e2:ba:6a:c0:dc 247366 0 0 =
227852 0 0 0 em0 1500 192.168.1.0 zork =
239442 - - =20
226920 - - - lo0 16384 <Link#2> =
0 0 0 0 0 0 0 lo0 16384 localhost ::1 =
0 - - 0 - - - lo0 16384 =
fe80::1%lo0 fe80::1 0 - - 0 - - =
- lo0 16384 your-net localhost 0 - - =
0 - - - Local system status: 3:01AM up 22:21, 2 users, load =
averages: 0.24, 0.33, 0.25 Mail in local queue: mailq: Mail queue is empty =
Mail in submit queue: mailq: Mail queue is empty Security check: =
(output mailed separately) Checking for rejected mail hosts: Backing up =
pkgng database: -- End of daily output --
My other worry is the daily security run output mail from the same =
wokstation (see below). There's a couple of setuid diffs and then a dump =
of old log file entries. My question is again: how do I investigate these =
diffs and what could cause them? Also - why the dump of the old log =
entries?
Checking setuid files and devices: zork setuid diffs: --- =
/var/log/setuid.today 2014-05-21 03:07:00.000000000 +0200 +++ =
/tmp/security.kNUKUHM3 2014-08-07 03:06:29.000000000 +0200 @@ =
-32,13 +32,15 @@ 7704735 -r-sr-xr-x 6 root wheel 22376 Jan 16 =
23:41:02 2014 /usr/bin/ypchpass 7704735 -r-sr-xr-x 6 root wheel =
22376 Jan 16 23:41:02 2014 /usr/bin/ypchsh 7704601 -r-sr-xr-x 2 root =
wheel 8296 Jan 16 23:41:09 2014 /usr/bin/yppasswd -7791699 =
-r-xr-sr-x 1 root smmsp 676064 Jan 16 23:41:34 2014 =
/usr/libexec/sendmail/sendmail +7791952 -r-xr-sr-x 1 root smmsp =
676064 Jun 26 06:30:49 2014 /usr/libexec/sendmail/sendmail 7707857 =
-r-sr-xr-x 1 root wheel 32824 Jan 16 23:40:38 2014 =
/usr/libexec/ssh-keysign 7707853 -r-sr-xr-x 1 root wheel 6000 =
Jan 16 23:40:05 2014 /usr/libexec/ulog-helper 8268343 -r-sr-xr-x 1 =
root=20
wheel 1819872 Apr 15 05:47:39 2014 /usr/local/bin/Xorg +8269540 =
-rwxr-sr-x 1 root wheel 18064 Jun 26 06:34:34 2014 =
/usr/local/bin/lockfile 8266420 -rwxr-sr-x 1 root mail 11392 =
Apr 6 12:40:12 2014 /usr/local/bin/mutt_dotlock 8268183 -rwsr-xr-x 1 =
root wheel 20072 Apr 15 05:43:54 2014 /usr/local/bin/pkexec =
-8268086 -rwsr-x--- 1 root messagebus 280784 Apr 15 05:41:41 2014 =
/usr/local/libexec/dbus-daemon-launch-helper +8269542 -rwsr-sr-x 1 root =
wheel 98224 Jun 26 06:34:34 2014 /usr/local/bin/procmail +8269658 =
-rwsr-x--- 1 root messagebus 270896 Jul 1 12:14:01 2014 =
/usr/local/libexec/dbus-daemon-launch-helper 8268207 -rwsr-xr-x 1 root =
wheel 12152 Apr 15 05:43:54 2014 =
/usr/local/libexec/polkit-agent-helper-1 8268125 -rwxr-sr-x 1 root =
polkit 19736 Apr 15 05:42:07 2014 =
/usr/local/libexec/polkit-explicit-grant-helper=20
8268126 -rwxr-sr-x 1 root polkit 17712 Apr 15 05:42:07 2014 =
/usr/local/libexec/polkit-grant-helper @@ -47,6 +49,7 @@ 8268129 =
-rwsr-xr-x 1 root wheel 8472 Apr 15 05:42:07 2014 =
/usr/local/libexec/polkit-resolve-exe-helper 8268130 -rwxr-sr-x 1 root =
polkit 21328 Apr 15 05:42:07 2014 =
/usr/local/libexec/polkit-revoke-helper 8268131 -rwsr-xr-x 1 root =
polkit 22032 Apr 15 05:42:07 2014 =
/usr/local/libexec/polkit-set-default-helper +8269530 -r-xr-sr-x 1 root =
ssmtp 32360 Jun 25 10:26:12 2014 /usr/local/sbin/ssmtp 7707669 =
-r-sr-sr-x 2 root authpf 24160 Jan 16 23:41:18 2014 =
/usr/sbin/authpf 7707669 -r-sr-sr-x 2 root authpf 24160 Jan 16 =
23:41:18 2014 /usr/sbin/authpf-noip 7707607 -r-xr-sr-x 1 root daemon =
55584 Jan 16 23:41:27 2014 /usr/sbin/lpc Checking negative group =
permissions: Checking for uids of 0: root 0 toor 0
Checking for passwordless accounts: Checking login.conf permissions: zork =
kernel log messages: +++ /tmp/security.GuJvYr8G 2014-08-07 =
03:11:32.000000000 +0200 +FreeBSD 10.0-RELEASE-p6 #0: Tue Jun 24 07:47:37 =
UTC 2014 +vgapci0: <VGA-compatible display> port 0x2220-0x2227 mem =
0xf0100000-0xf017ffff,0xe0000000-0xefffffff,0xf0000000-0xf00fffff irq 16 =
at device 2.0 on pci0 +em0: <Intel(R) PRO/1000 Network Connection 7.3.8> =
port 0x2100-0x211f mem 0xf0180000-0xf019ffff,0xf01a4000-0xf01a4fff irq 19 =
at device 25.0 on pci0 +uhci0: <Intel 82801I (ICH9) USB controller> port =
0x2120-0x213f irq 20 at device 26.0 on pci0 +uhci1: <Intel 82801I (ICH9) =
USB controller> port 0x2140-0x215f irq 21 at device 26.1 on pci0 +uhci2: =
<Intel 82801I (ICH9) USB controller> port 0x2160-0x217f irq 22 at device =
26.2 on pci0 +uhci3: <Intel 82801I (ICH9) USB controller> port =
0x2180-0x219f irq 20 at device 29.0 on pci0
+uhci4: <Intel 82801I (ICH9) USB controller> port 0x21a0-0x21bf irq 21 at =
device 29.1 on pci0 +em0: <Intel(R) PRO/1000 Legacy Network Connection =
1.0.6> port 0x1100-0x113f mem 0xf0200000-0xf021ffff,0xf0220000-0xf023ffff =
irq 20 at device 4.0 on pci7 +em0: Ethernet address: 90:e2:ba:6a:c0:dc =
+atapci0: <Intel ICH9 SATA300 controller> port =
0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0x21e0-0x21ef,0x21f0-0x21ff irq 18 at =
device 31.2 on pci0 +atapci1: <Intel ICH9 SATA300 controller> port =
0x2238-0x223f,0x2250-0x2253,0x2240-0x2247,0x2254-0x2257,0x2200-0x220f,0x22=
10-0x221f irq 18 at device 31.5 on pci0 +Timecounter "TSC-low" frequency =
1163772879 Hz quality 1000 +ugen3.2: <Western Digital> at usbus3 +ugen1.2: =
<Logitech> at usbus1 +ukbd0: <Logitech USB Receiver, class 0/0, rev =
2.00/12.01, addr 2> on usbus1 +ums0: <Logitech USB Receiver, class 0/0, =
rev 2.00/12.01, addr 2> on usbus1 +uhid0: <Logitech USB
Receiver, class 0/0, rev 2.00/12.01, addr 2> on usbus1 zork login =
failures: zork refused connections: Checking for packages with security =
vulnerabilities: dbus-1.8.4 firefox-30.0_1,1 nss-3.16 -- End of security =
output --
Of course my main concern is if my system has been compromised. All inputs =
on the situation are greatly appreciated.
Kenneth Bernholm
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3651ef748410db561b04fe10796b8e65>