Date: Wed, 18 Feb 2015 10:13:45 +0100 (CET) From: Raimund Sacherer <rs@logitravel.com> To: freebsd-questions@freebsd.org Subject: setuid diffs in daily security run output Message-ID: <535737942.88794111.1424250825035.JavaMail.zimbra@logitravel.com> In-Reply-To: <1630133808.88787292.1424250372563.JavaMail.zimbra@logitravel.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, This is one of our first FreeBSD servers we use, and I be rather safe than sorry, we put in production a FreeBSD 10.0 system and it is running (in production) a couple of weeks now. Reading the security run emails today i noticed a lot of those: --- snip --- - 587 -r-sr-xr-x 1 root wheel 19912 Jan 16 22:40:07 2014 /bin/rcp - 511 -r-sr-x--- 1 root operator 9880 Jan 16 22:40:33 2014 /sbin/mksnap_ffs - 471 -r-sr-xr-x 1 root wheel 28024 Jan 16 22:40:34 2014 /sbin/ping - 546 -r-sr-xr-x 1 root wheel 36496 Jan 16 22:40:34 2014 /sbin/ping6 - 528 -r-sr-x--- 2 root operator 15656 Jan 16 22:40:34 2014 /sbin/poweroff - 528 -r-sr-x--- 2 root operator 15656 Jan 16 22:40:34 2014 /sbin/shutdown - 672 -r-sr-xr-x 4 root wheel 28528 Jan 16 22:41:00 2014 /usr/bin/at - 672 -r-sr-xr-x 4 root wheel 28528 Jan 16 22:41:00 2014 /usr/bin/atq --- snip --- I did not see those messages before, but I do read normally those mails. So I checked with stat: File: "/bin/rcp" Size: 19912 FileType: Regular File Mode: (4555/-r-sr-xr-x) Uid: ( 0/ root) Gid: ( 0/ wheel) Device: 71,202637507 Inode: 587 Links: 1 Access: Thu Jan 16 23:40:07 2014 Modify: Thu Jan 16 23:40:07 2014 Change: Fri Aug 1 18:15:30 2014 But there are no strange modifications recently ... How come those messages are today in the security output? Are those permissions correct? Should I be worried about an intruder? Best Ray
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?535737942.88794111.1424250825035.JavaMail.zimbra>