From owner-freebsd-questions@FreeBSD.ORG Thu Aug 7 05:29:04 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5942C996 for ; Thu, 7 Aug 2014 05:29:04 +0000 (UTC) Received: from eina.andersenit.dk (eina.andersenit.dk [87.238.248.175]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CE453218E for ; Thu, 7 Aug 2014 05:29:02 +0000 (UTC) Received: from bernholm.dk [109.56.235.174] (127.0.0.1 [127.0.0.1]) by eina.andersenit.dk (Eina) with ASMTP id TNH29134 for ; Thu, 07 Aug 2014 07:26:34 +0200 Date: Thu, 07 Aug 2014 07:26:33 +0200 To: freebsd-questions@freebsd.org From: "Kenneth Bernholm" Subject: Investigating passwd, group and setuid diffs in status mails Message-ID: <3651ef748410db561b04fe10796b8e65@bernholm.dk> X-Mailer: IceWarp Mailer 10.3.5 X-Priority: 3 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Aug 2014 05:29:04 -0000 I have found a couple of worrying messages in the FreeBSD (10) status = mails and I'm not sure how to interpret the information. Both mails came = in a 03:11 last night where I for the first time had left my workstation = (zork) on. I have other FreeBSD 10 machines (servers) in the same LAN = which are always on and they've reported nothing. Below is the daily run output mail. I'm worried about the passwd and group = diffs as I have not changed any groups or passwords for a while. My = questions is: how do I investigate these diffs properly and are there any = obvious explanations or reasons that I should know about? Removing stale files from /var/preserve: Cleaning out old system = announcements: Removing stale files from /var/rwho: Backup passwd and = group files: zork passwd diffs: 34a35 > = logcheck:(password):915:915::0:0:Logcheck system = account:/var/lib/logcheck:/usr/local/bin/bashzork group diffs: 41a42,43 > = ssmtp:*:916:> logcheck:*:915:Verifying group file syntax: /etc/group is = fine Backing up mail aliases: Disk status: Filesystem Size Used = Avail Capacity Mounted on /dev/ada0p2 140G 25G 105G 19% / = devfs 1.0K 1.0K 0B 100% /dev /dev/da0p1 451G = 22G 393G 5% /usbdisk Network interface status: Name Mtu = Network Address Ipkts Ierrs Idrop Opkts Oerrs Coll = Drop em0 1500 90:e2:ba:6a:c0:dc 247366 0 0 = 227852 0 0 0 em0 1500 192.168.1.0 zork = 239442 - - =20 226920 - - - lo0 16384 = 0 0 0 0 0 0 0 lo0 16384 localhost ::1 = 0 - - 0 - - - lo0 16384 = fe80::1%lo0 fe80::1 0 - - 0 - - = - lo0 16384 your-net localhost 0 - - = 0 - - - Local system status: 3:01AM up 22:21, 2 users, load = averages: 0.24, 0.33, 0.25 Mail in local queue: mailq: Mail queue is empty = Mail in submit queue: mailq: Mail queue is empty Security check: = (output mailed separately) Checking for rejected mail hosts: Backing up = pkgng database: -- End of daily output -- My other worry is the daily security run output mail from the same = wokstation (see below). There's a couple of setuid diffs and then a dump = of old log file entries. My question is again: how do I investigate these = diffs and what could cause them? Also - why the dump of the old log = entries? Checking setuid files and devices: zork setuid diffs: --- = /var/log/setuid.today 2014-05-21 03:07:00.000000000 +0200 +++ = /tmp/security.kNUKUHM3 2014-08-07 03:06:29.000000000 +0200 @@ = -32,13 +32,15 @@ 7704735 -r-sr-xr-x 6 root wheel 22376 Jan 16 = 23:41:02 2014 /usr/bin/ypchpass 7704735 -r-sr-xr-x 6 root wheel = 22376 Jan 16 23:41:02 2014 /usr/bin/ypchsh 7704601 -r-sr-xr-x 2 root = wheel 8296 Jan 16 23:41:09 2014 /usr/bin/yppasswd -7791699 = -r-xr-sr-x 1 root smmsp 676064 Jan 16 23:41:34 2014 = /usr/libexec/sendmail/sendmail +7791952 -r-xr-sr-x 1 root smmsp = 676064 Jun 26 06:30:49 2014 /usr/libexec/sendmail/sendmail 7707857 = -r-sr-xr-x 1 root wheel 32824 Jan 16 23:40:38 2014 = /usr/libexec/ssh-keysign 7707853 -r-sr-xr-x 1 root wheel 6000 = Jan 16 23:40:05 2014 /usr/libexec/ulog-helper 8268343 -r-sr-xr-x 1 = root=20 wheel 1819872 Apr 15 05:47:39 2014 /usr/local/bin/Xorg +8269540 = -rwxr-sr-x 1 root wheel 18064 Jun 26 06:34:34 2014 = /usr/local/bin/lockfile 8266420 -rwxr-sr-x 1 root mail 11392 = Apr 6 12:40:12 2014 /usr/local/bin/mutt_dotlock 8268183 -rwsr-xr-x 1 = root wheel 20072 Apr 15 05:43:54 2014 /usr/local/bin/pkexec = -8268086 -rwsr-x--- 1 root messagebus 280784 Apr 15 05:41:41 2014 = /usr/local/libexec/dbus-daemon-launch-helper +8269542 -rwsr-sr-x 1 root = wheel 98224 Jun 26 06:34:34 2014 /usr/local/bin/procmail +8269658 = -rwsr-x--- 1 root messagebus 270896 Jul 1 12:14:01 2014 = /usr/local/libexec/dbus-daemon-launch-helper 8268207 -rwsr-xr-x 1 root = wheel 12152 Apr 15 05:43:54 2014 = /usr/local/libexec/polkit-agent-helper-1 8268125 -rwxr-sr-x 1 root = polkit 19736 Apr 15 05:42:07 2014 = /usr/local/libexec/polkit-explicit-grant-helper=20 8268126 -rwxr-sr-x 1 root polkit 17712 Apr 15 05:42:07 2014 = /usr/local/libexec/polkit-grant-helper @@ -47,6 +49,7 @@ 8268129 = -rwsr-xr-x 1 root wheel 8472 Apr 15 05:42:07 2014 = /usr/local/libexec/polkit-resolve-exe-helper 8268130 -rwxr-sr-x 1 root = polkit 21328 Apr 15 05:42:07 2014 = /usr/local/libexec/polkit-revoke-helper 8268131 -rwsr-xr-x 1 root = polkit 22032 Apr 15 05:42:07 2014 = /usr/local/libexec/polkit-set-default-helper +8269530 -r-xr-sr-x 1 root = ssmtp 32360 Jun 25 10:26:12 2014 /usr/local/sbin/ssmtp 7707669 = -r-sr-sr-x 2 root authpf 24160 Jan 16 23:41:18 2014 = /usr/sbin/authpf 7707669 -r-sr-sr-x 2 root authpf 24160 Jan 16 = 23:41:18 2014 /usr/sbin/authpf-noip 7707607 -r-xr-sr-x 1 root daemon = 55584 Jan 16 23:41:27 2014 /usr/sbin/lpc Checking negative group = permissions: Checking for uids of 0: root 0 toor 0 Checking for passwordless accounts: Checking login.conf permissions: zork = kernel log messages: +++ /tmp/security.GuJvYr8G 2014-08-07 = 03:11:32.000000000 +0200 +FreeBSD 10.0-RELEASE-p6 #0: Tue Jun 24 07:47:37 = UTC 2014 +vgapci0: port 0x2220-0x2227 mem = 0xf0100000-0xf017ffff,0xe0000000-0xefffffff,0xf0000000-0xf00fffff irq 16 = at device 2.0 on pci0 +em0: = port 0x2100-0x211f mem 0xf0180000-0xf019ffff,0xf01a4000-0xf01a4fff irq 19 = at device 25.0 on pci0 +uhci0: port = 0x2120-0x213f irq 20 at device 26.0 on pci0 +uhci1: port 0x2140-0x215f irq 21 at device 26.1 on pci0 +uhci2: = port 0x2160-0x217f irq 22 at device = 26.2 on pci0 +uhci3: port = 0x2180-0x219f irq 20 at device 29.0 on pci0 +uhci4: port 0x21a0-0x21bf irq 21 at = device 29.1 on pci0 +em0: port 0x1100-0x113f mem 0xf0200000-0xf021ffff,0xf0220000-0xf023ffff = irq 20 at device 4.0 on pci7 +em0: Ethernet address: 90:e2:ba:6a:c0:dc = +atapci0: port = 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0x21e0-0x21ef,0x21f0-0x21ff irq 18 at = device 31.2 on pci0 +atapci1: port = 0x2238-0x223f,0x2250-0x2253,0x2240-0x2247,0x2254-0x2257,0x2200-0x220f,0x22= 10-0x221f irq 18 at device 31.5 on pci0 +Timecounter "TSC-low" frequency = 1163772879 Hz quality 1000 +ugen3.2: at usbus3 +ugen1.2: = at usbus1 +ukbd0: on usbus1 +ums0: on usbus1 +uhid0: on usbus1 zork login = failures: zork refused connections: Checking for packages with security = vulnerabilities: dbus-1.8.4 firefox-30.0_1,1 nss-3.16 -- End of security = output -- Of course my main concern is if my system has been compromised. All inputs = on the situation are greatly appreciated. Kenneth Bernholm