From owner-freebsd-questions@FreeBSD.ORG  Sun Aug 27 14:19:03 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7BCAD16A586
	for <freebsd-questions@freebsd.org>;
	Sun, 27 Aug 2006 14:19:02 +0000 (UTC)
	(envelope-from wmoran@collaborativefusion.com)
Received: from internet.potentialtech.com (internet.potentialtech.com
	[66.167.251.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id C175E446BA
	for <freebsd-questions@freebsd.org>;
	Sun, 27 Aug 2006 13:59:41 +0000 (GMT)
	(envelope-from wmoran@collaborativefusion.com)
Received: from [172.16.0.201] (monrovll-cuda1-24-53-251-44.pittpa.adelphia.net
	[24.53.251.44])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by internet.potentialtech.com (Postfix) with ESMTP id F3DE469A4E;
	Sun, 27 Aug 2006 09:59:39 -0400 (EDT)
Message-ID: <44F1A542.6000402@collaborativefusion.com>
Date: Sun, 27 Aug 2006 09:59:30 -0400
From: Bill Moran <wmoran@collaborativefusion.com>
User-Agent: Thunderbird 1.5.0.5 (Windows/20060719)
MIME-Version: 1.0
To: dick hoogendijk <dick@nagual.nl>
References: <20060827114817.5b5124dd.dick@nagual.nl>
In-Reply-To: <20060827114817.5b5124dd.dick@nagual.nl>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-questions@freebsd.org
Subject: Re: Fw: lothlorien.nagual.nl security run output
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Aug 2006 14:19:03 -0000

dick hoogendijk wrote:
> I'm a little worried after reading the security output this morning.
> It seems some files [ping, ping6, shutdown, at, atq and atrm] have
> setuid diffs. I really don't know why this could have happened.
> I updated some ports yesterday, but I don't think any port writes
> in /sbin (?)
> Could someboddy advice me on what can have happened?
>   

If you didn't do an installworld or any other upgrade, then something is 
wrong.

They could be trojaned as part of a breakin, you you could be 
experiencing disk corruption.

> Begin forwarded message [some Xorg update warnings deleted]:
>
> Checking setuid files and devices:
> Checking setuid files and devices:
>
> lothlorien.nagual.nl setuid diffs:
> --- /var/log/setuid.today	Mon Aug 14 03:03:25 2006
> +++ /tmp/security.aJbHsCR6	Sun Aug 27 03:03:22 2006
> @@ -3,12 +3,12 @@
> 23637 -r-sr-xr-x  1 root  wheel      21792 May 12 21:47:15
> 2006 /sbin/ping
> 23638 -r-sr-xr-x  1 root  wheel      28660 May 12
> 21:47:15 2006 /sbin/ping6
> 23651 -r-sr-x---  1 root  operator   10148
> May 12 21:47:17 2006 /sbin/shutdown
> 7042059 -r-sr-xr-x  4 root  wheel      20948
> May 12 21:48:10 2006 /usr/bin/at
> 7042059 -r-sr-xr-x  4 root
> wheel     20948 May 12 21:48:10 2006 /usr/bin/atq
> 7042059 -r-sr-xr-x  4
> root     wheel     20948 May 12 21:48:10 2006 /usr/bin/atrm
>
>