Date: Mon, 6 Aug 2001 14:27:08 +0000 (UTC) From: naddy@mips.inka.de (Christian Weisgerber) To: freebsd-security@freebsd.org Subject: Tracing writes? Message-ID: <9km9fr$1sb$1@kemoauc.mips.inka.de>
next in thread | raw e-mail | index | archive | help
You see that a file is written to. How do you figure out where the write() is coming from? As I have described on -current, executables keep getting new mtimes on my box (FreeBSD-CURRENT/alpha). Comparing MD5-Hashes of the files before and after, as well as copying the files to an entirely different system and comparing hashes there shows no changes. I've set up a little program that uses a kqueue() filter to watch over /bin/*. I expected to see utimes() updates (NOTE_ATTRIB), but it's telling me that the executables are actually _written_ to (NOTE_WRITE). I'm skeptical that I'm dealing with a security breach here, but something is going on I don't understand, and that in itself is worrying. Suggestions how to nail down the source of those write()s? -- Christian "naddy" Weisgerber naddy@mips.inka.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9km9fr$1sb$1>