From owner-freebsd-security  Mon Aug  6  8: 6: 2 2001
Delivered-To: freebsd-security@freebsd.org
Received: from blues.jpj.net (unknown [204.97.17.6])
	by hub.freebsd.org (Postfix) with ESMTP id 7FE8237B401
	for <freebsd-security@FreeBSD.ORG>; Mon,  6 Aug 2001 08:05:59 -0700 (PDT)
	(envelope-from trevor@jpj.net)
Received: from localhost (trevor@localhost)
	by blues.jpj.net (8.11.1/8.11.1) with ESMTP id f76F5t322849;
	Mon, 6 Aug 2001 11:05:55 -0400 (EDT)
Date: Mon, 6 Aug 2001 11:05:54 -0400 (EDT)
From: Trevor Johnson <trevor@jpj.net>
To: Christian Weisgerber <naddy@mips.inka.de>
Cc: <freebsd-security@FreeBSD.ORG>
Subject: Re: Tracing writes?
In-Reply-To: <9km9fr$1sb$1@kemoauc.mips.inka.de>
Message-ID: <20010806105944.N19105-100000@blues.jpj.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

> Suggestions how to nail down the source of those write()s?

Maybe do "chflags -R schg /bin/" and wait for new error messages?
Of course, that would tip off the intruder, if there were one.
-- 
Trevor Johnson


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message