From owner-freebsd-questions@FreeBSD.ORG  Wed Apr 14 02:33:46 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C7B2816A4CF
	for <freebsd-questions@freebsd.org>;
	Wed, 14 Apr 2004 02:33:46 -0700 (PDT)
Received: from smtp.covadmail.net (mx07.covadmail.net [63.65.120.67])
	by mx1.FreeBSD.org (Postfix) with SMTP id 5315E43D41
	for <freebsd-questions@freebsd.org>;
	Wed, 14 Apr 2004 02:33:46 -0700 (PDT)
	(envelope-from strick@covad.net)
Received: (covad.net 4906 invoked from network); 14 Apr 2004 09:33:41 -0000
Received: from unknown (HELO mist.nodomain) (strick@covad.net@68.164.175.131)
  by sun-qmail10 with SMTP; 14 Apr 2004 09:33:40 -0000
Received: from mist.nodomain (localhost [127.0.0.1])
	by mist.nodomain (8.12.9p2/8.12.9) with ESMTP id i3E9Xem7000462;
	Wed, 14 Apr 2004 02:33:40 -0700 (PDT)
	(envelope-from dan@mist.nodomain)
Received: (from dan@localhost)
	by mist.nodomain (8.12.9p2/8.12.9/Submit) id i3E9XdSE000461;
	Wed, 14 Apr 2004 02:33:39 -0700 (PDT)
	(envelope-from dan)
Date: Wed, 14 Apr 2004 02:33:39 -0700 (PDT)
From: Dan Strick <strick@covad.net>
Message-Id: <200404140933.i3E9XdSE000461@mist.nodomain>
To: dmehler26@woh.rr.com
cc: freebsd-questions@freebsd.org
Subject: Re: have i been hacked?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Apr 2004 09:33:46 -0000

>>
>    ...
> When i got the daily run
> output i noticed the setuid files have changed. Wondering if this box got
> hacked and if so where to look to confirm this?
>    ...
>
>  Checking setuid files and devices:
>  ls: Terminated
>  : No such file or directory
>
>  guardian.davemehler.net setuid diffs:
>  1,52d0
>  < 94240 -r-sr-xr-x  1 root  wheel     448384 Jun  4 21:54:47 2003 /bin/rcp
>    ...
>>

The "ls" command the security script uses to discover all of the setuid
files on your system failed for some unspecified reason and this caused the
script to think that all the setuid files discovered during the previous
run of this security script had gone away.  The next time this script
runs it may well report that these files have reappeared.

This is probably not evidence that your system was hacked.

Dan Strick
strick@covad.net