From owner-freebsd-security Mon Aug 6 7:31:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.inka.de (quechua.inka.de [212.227.14.2]) by hub.freebsd.org (Postfix) with ESMTP id 9A06537B406 for ; Mon, 6 Aug 2001 07:31:37 -0700 (PDT) (envelope-from daemon@mips.inka.de) Received: from kemoauc.mips.inka.de (uucp@) by mail.inka.de with local-bsmtp id 15TlPs-0002FH-01; Mon, 6 Aug 2001 16:31:36 +0200 Received: (from daemon@localhost) by kemoauc.mips.inka.de (8.11.5/8.11.1) id f76ER9e01940 for freebsd-security@freebsd.org; Mon, 6 Aug 2001 16:27:09 +0200 (CEST) (envelope-from daemon) From: naddy@mips.inka.de (Christian Weisgerber) Subject: Tracing writes? Date: Mon, 6 Aug 2001 14:27:08 +0000 (UTC) Message-ID: <9km9fr$1sb$1@kemoauc.mips.inka.de> Originator: naddy@mips.inka.de (Christian Weisgerber) To: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You see that a file is written to. How do you figure out where the write() is coming from? As I have described on -current, executables keep getting new mtimes on my box (FreeBSD-CURRENT/alpha). Comparing MD5-Hashes of the files before and after, as well as copying the files to an entirely different system and comparing hashes there shows no changes. I've set up a little program that uses a kqueue() filter to watch over /bin/*. I expected to see utimes() updates (NOTE_ATTRIB), but it's telling me that the executables are actually _written_ to (NOTE_WRITE). I'm skeptical that I'm dealing with a security breach here, but something is going on I don't understand, and that in itself is worrying. Suggestions how to nail down the source of those write()s? -- Christian "naddy" Weisgerber naddy@mips.inka.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message