From owner-freebsd-security@FreeBSD.ORG Sun Dec 7 09:15:12 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 101D816A4D4 for ; Sun, 7 Dec 2003 09:15:06 -0800 (PST) Received: from george.he.net (george.he.net [216.218.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 79A9D43FCB for ; Sun, 7 Dec 2003 09:15:03 -0800 (PST) (envelope-from criter@riter.com) Received: from EOS (adsl-63-205-74-174.dsl.snfc21.pacbell.net [63.205.74.174]) by george.he.net (8.8.6p2003-03-31/8.8.2) with ESMTP id JAA11879 for ; Sun, 7 Dec 2003 09:15:02 -0800 From: "Craig Riter" To: Date: Sun, 7 Dec 2003 09:14:56 -0800 Message-ID: <000b01c3bce5$a411f9c0$65ffa8c0@EOS> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: possible compromise or just misreading logs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Dec 2003 17:15:12 -0000 I am not sure if I had a compromise but I am not sure I wanted some other input. I noticed in this in my daily security run output: pc1 setuid diffs: 19c19 < 365635 -rwsr-xr-x 1 root wheel 204232 Sep 27 21:23:19 2003 /usr/X11R6/bin/xscreensaver --- > 365781 -rwsr-xr-x 1 root wheel 205320 Dec 4 07:55:59 2003 /usr/X11R6/bin/xscreensaver It was the only file listed and I didn't remember changing anything on my pc having to do with the screensaver and can't even remember for sure if I was on my computer at that time. I also noticed this message on my screen (I still have syslogd write some messages there): Dec 4 07:54:13 pc1 /kernel: pid 62069 (msgfmt), uid 0: exited on signal 6 (core dumped) Dec 4 07:57:04 pc1 /kernel: pid 64543 (msgfmt), uid 0: exited on signal 6 (core dumped) When looking in the /usr/X11/R6/bin I saw some other files that were modified around this time. I didn't have a reason to modify these other files so I don't think it was me. drwxr-xr-x 3 root wheel 10752 Dec 4 09:18 ./ -r--r--r-- 1 root wheel 5324 Dec 4 09:18 qtrename140 -r--r--r-- 1 root wheel 8065 Dec 4 09:18 qt20fix -r--r--r-- 1 root wheel 218708 Dec 4 09:18 moc2 -r--r--r-- 1 root wheel 4160 Dec 4 09:18 findtr -r--r--r-- 1 root wheel 206044 Dec 4 09:18 uic -r--r--r-- 1 root wheel 41964 Dec 4 07:57 xscreensaver-gl-helper dr--r--r-- 2 root wheel 3584 Dec 4 07:57 xscreensaver-hacks/ -r--r--r-- 1 root wheel 988 Dec 4 07:56 screensaver-properties-capplet -r--r--r-- 1 root wheel 4790 Dec 4 07:56 xscreensaver-getimage-video -r--r--r-- 1 root wheel 116916 Dec 4 07:56 xscreensaver-getimage -r--r--r-- 1 root wheel 7271 Dec 4 07:56 xscreensaver-getimage-file -r--r--r-- 1 root wheel 168360 Dec 4 07:56 xscreensaver-demo -r--r--r-- 1 root wheel 205320 Dec 4 07:55 xscreensaver -r--r--r-- 1 root wheel 17624 Dec 4 07:55 xscreensaver-command I have since made them all read only since I didn't want to run them in case they had a trojan. So, my question is did I have a break-in? This machine is accessable only as a web server through NAT and ipfw (if I configed my ipfw correctly). I had just installed the Apache 1.3.29. Second, what are people using for intrusion detection? This is something I have thought about but never really thought I needed until now. Thanks, Craig