From owner-freebsd-questions  Thu Jan 30 07:38:42 1997
Return-Path: <owner-questions>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id HAA15487
          for questions-outgoing; Thu, 30 Jan 1997 07:38:42 -0800 (PST)
Received: from gluon.mep.ruhr-uni-bochum.de (gluon.mep.ruhr-uni-bochum.de [134.147.160.165])
          by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id HAA15467
          for <freebsd-questions@freebsd.org>; Thu, 30 Jan 1997 07:38:27 -0800 (PST)
Received: (from roberte@localhost) by gluon.mep.ruhr-uni-bochum.de (8.6.12/8.6.12) id QAA17837; Thu, 30 Jan 1997 16:38:20 +0100
From: Robert Eckardt <roberte@mep.ruhr-uni-bochum.de>
Message-Id: <199701301538.QAA17837@gluon.mep.ruhr-uni-bochum.de>
Subject: Re: My security check output (fwd)
In-Reply-To: <Pine.BSF.3.91.970130031456.5227A-100000@radford.i-plus.net> from ## Troy Settle at "30. Jan. 97  3:15:20"
To: rewt@i-plus.net (## Troy Settle)
Date: Thu, 30 Jan 1997 16:38:20 +0100 (MET)
Cc: freebsd-questions@freebsd.org
X-Mailer: ELM [version 2.4ME+ PL25 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-questions@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

> 
> Can anyone explain this to me?  I'm confused as to what the differences 
> are in these files.  have I been hacked?  I don't see anything suspicious 
> in my logs, or anywhere else.  but, these suid files show up as being 
> different.  Am I missing something?
> 
> Troy Settle <st@i-Plus.net>
> 
> ---------- Forwarded message ----------
> Date: Thu, 30 Jan 1997 02:00:02 -0500 (EST)
> From: Charlie Root <root@i-plus.net>
> Subject: Radford security check output
> 
> checking setuid files and devices:
> find: /home/.1/pitlord/www/sounds/built this city.mid: illegal path
> Radford setuid diffs:
> 77,80d80
  ~~~~~~~~
> < -r-xr-sr-x  1 bin   kmem     12288 Nov 24 18:11:24 1996 /usr/sbin/slstat
> < -r-xr-sr-x  2 bin   kmem     20480 Nov 24 18:11:14 1996 /usr/sbin/swapinfo
> < -r-sr-xr-x  1 root  bin      20480 Nov 24 18:11:31 1996 /usr/sbin/timedc
> < -r-sr-xr-x  1 root  bin      16384 Nov 24 18:11:31 1996 /usr/sbin/traceroute
> 88a89,92
  ~~~~~~~~
> > -r-xr-sr-x  1 bin   kmem     12288 Nov 24 18:11:24 1996 /usr/sbin/slstat
[..]

You should see something before that in the diff file.
You likely have installed new programs and some of them
show up in the list of suid-programs.
Everything else is moved down the list.

(May be it would be better to sort the list by program name first.)

I don't think there is anything suspicious on your machine
(except when someone else has installed SUID-progs :-).

Robert

-- 
Robert Eckardt                                                     (
    Ruhr-Universitaet Bochum, Inst.f.Theor.Physik, NB6/169          )
    Universitaetsstrasse 150,   D-44780 Bochum,    Germany     ----X---8----
    Telefon: +49 234 700-3709,   Telefax: +49 234 7094-574             8
    E-Mail:  RobertE@MEP.Ruhr-Uni-Bochum.de                    --------8----
    URL:  http://WWW.MEP.Ruhr-Uni-Bochum.de/~roberte
>>> To be successful one needs friends,                                  <<<
>>> To be very successful one needs enemies.                             <<<