Date: Sat, 15 Feb 1997 03:38:10 +1100 From: David Nugent <davidn@labs.usn.blaze.net.au> To: freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: [root@server.blaze.net.au: server security check output] Message-ID: <19970215033810.19932@usn.blaze.net.au>
next in thread | raw e-mail | index | archive | help
-----Forwarded message from System Administrator <root@server.blaze.net.au>----- ~ server setuid diffs: 25c25 < -r-sr-xr-x 5 root bin 294912 Feb 9 02:17:20 1997 /usr/bin/hoststat --- > -r-sr-xr-x 5 root bin 294912 Feb 15 00:51:48 1997 /usr/bin/hoststat 34c34 < -r-sr-xr-x 5 root bin 294912 Feb 9 02:17:20 1997 /usr/bin/mailq --- > -r-sr-xr-x 5 root bin 294912 Feb 15 00:51:48 1997 /usr/bin/mailq 37c37 < -r-sr-xr-x 5 root bin 294912 Feb 9 02:17:20 1997 /usr/bin/newaliases --- > -r-sr-xr-x 5 root bin 294912 Feb 15 00:51:48 1997 /usr/bin/newaliases 114,115c114,115 < -r-sr-xr-x 5 root bin 294912 Feb 9 02:17:20 1997 /usr/sbin/purgestat < -r-sr-xr-x 5 root bin 294912 Feb 9 02:17:20 1997 /usr/sbin/sendmail --- > -r-sr-xr-x 5 root bin 294912 Feb 15 00:51:48 1997 /usr/sbin/purgestat > -r-sr-xr-x 5 root bin 294912 Feb 15 00:51:48 1997 /usr/sbin/sendmail ~ -----End of forwarded message----- This is the second time I've seen this since I last built world - something has "touched" sendmail. It doesn't appear to have been hacked, and I even checked the md5 against what it was originally when I last installed sendmail and it hasn't changed. But suddenly the file date has been modified, and only a couple of hours ago. This makes me a little nervous. Nothing in any log indicates a problem; in fact, /var/log/maillog shows no activity for a couple of minutes previous to a couple of minutes after the mtime: Feb 15 01:50:10 server sendmail[26963]: BAA26959: to=ronno, ctladdr=root (0/0), delay=00:00:05, xdelay=00:00:00, mailer=local, stat=Sent Feb 15 01:53:32 server sendmail[26258]: BAA26258: from=root, size=2555, class=0, pri=32555, nrcpts=1, msgid=<199702141445.BAA26258@server. blaze.net.au>, relay=root@localhost Anyone else seen this, or might offer a clue as to what is going on? The sendmail executable in /usr/obj seems to not have been touched, nor any of the directories, and it certainly has the original md5 as well. The system is running -current, built from sources ~6th of Feb and (obviously) sendmail 8.8.5. It is a fairly busy mail server and does a fair amount of mail forwarding in addition to handling local users. There is only one event I can find that might explain it, which I just came across. One of our dialup users dialed in and ran sendmail -q, obviously to force queue delivery. In his tcsh .history file I find: Sat Feb 15 00:51:35 1997 sendmail -q Oh well, chflags is good for something. :-) This would appear to be Yet Another Sendmail Bug. Regards, David Nugent - Unique Computing Pty Ltd - Melbourne, Australia Voice +61-3-9791-9547 Data/BBS +61-3-9792-3507 3:632/348@fidonet davidn@freebsd.org davidn@blaze.net.au http://www.blaze.net.au/~davidn/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19970215033810.19932>