Date: Sun, 12 Aug 2001 11:15:49 -0400 (EDT) From: Matthew Sundling <sundlm@rpi.edu> To: freebsd-questions@freebsd.org, freebsd-security@freebsd.org Cc: sundlm@rpi.edu Subject: security check output: questionable setuid diffs help? Message-ID: <Pine.BSF.4.10.10108121043240.82545-100000@monica.cs.rpi.edu>
next in thread | raw e-mail | index | archive | help
I am new to the land of maintaining and securing my own unix-like box, and so I have been presented with all the new problems (interesting learning experiences?) that lie therein. FYI: my machine = FreeBSD 4.3-RELEASE #2: Fri Aug 3 19:32:28 GMT 2001 I just started reading/following online security related websites on how to secure my machine yesturday (before yesturday my machine was running at securelevel=-1, with finger/telnet/ftp all still active in the default manner), and curiously messages appeared in my daily security check emails today (pasted below). Please note the change in time stamp. I would also point out the fact that I started logging TCP/UDP connection attempts yesturday, and it looked like several (~7) machines were port scanning. Also, my ISP is a rather open cable modem network. Also, I know little about true security and the art of detecting breaches. And I have not done any recent make worlds or installed any new system software since yesturday that would cause these changes. I did remove all services from the inetd, though... Also, the header of the daily security log included: > To: undisclosed-recipients:; Is this normal? I ask because I have no 'original' logs to compare the header against, so I can't tell if this is normal. I Checked my crontab,/etc/periodic/* stuff and it _seems_ like root is the only recipient, but I can't really tell. Any suggestions? Has my machine been penetrated? Any advice? (Please excuse the long posting, but the entries are repetative and the pattern easy to see) my.hostaddr.goes.here setuid diffs: 1,74c1,79 < 31242 -r-xr-sr-x 1 root operator 56892 Apr 21 09:05:46 2001 /bin/df < 31254 -r-sr-xr-x 1 root wheel 317400 Apr 21 09:13:35 2001 /bin/rcp < 46878 -r-xr-sr-x 1 root kmem 62792 Apr 21 09:08:02 2001 /sbin/ccdconfig < 46884 -r-xr-sr-x 1 root kmem 69512 Apr 21 09:08:03 2001 /sbin/dmesg < 46946 -r-xr-sr-x 2 root tty 329912 Apr 21 09:14:14 2001 /sbin/dump < 46922 -r-sr-xr-x 1 root wheel 196376 Apr 21 09:08:15 2001 /sbin/ping < 46923 -r-sr-xr-x 1 root bin 191380 Apr 21 09:08:15 2001 /sbin/ping6 < 46946 -r-xr-sr-x 2 root tty 329912 Apr 21 09:14:14 2001 /sbin/rdump < 46948 -r-xr-sr-x 2 root tty 356520 Apr 21 09:14:18 2001 /sbin/restore < 46885 -r-sr-xr-x 1 root wheel 192484 Apr 21 09:08:16 2001 /sbin/route < 46948 -r-xr-sr-x 2 root tty 356520 Apr 21 09:14:18 2001 /sbin/rrestore < 46932 -r-sr-x--- 1 root operator 165008 Apr 21 09:08:17 2001 /sbin/shutdown < 548209 -rwsr-xr-x 1 root wheel 7533 Mar 22 05:28:49 2001 /usr/X11R6/bin/Xwrapper < 548170 -rwsr-xr-x 1 root wheel 11980 Mar 22 05:27:06 2001 /usr/X11R6/bin/dga < 326018 -r-sr-xr-x 1 root wheel 8948 Apr 18 21:44:29 2001 /usr/X11R6/bin/gnome-pty-helper < 548203 -rwsr-xr-x 1 root wheel 166040 Mar 22 05:27:26 2001 /usr/X11R6/bin/xterm < 8039 -r-sr-xr-x 4 root wheel 19540 Apr 21 09:09:19 2001 /usr/bin/at < 8039 -r-sr-xr-x 4 root wheel 19540 Apr 21 09:09:19 2001 /usr/bin/atq < 8039 -r-sr-xr-x 4 root wheel 19540 Apr 21 09:09:19 2001 /usr/bin/atrm < 8039 -r-sr-xr-x 4 root wheel 19540 Apr 21 09:09:19 2001 /usr/bin/batch < 8051 -r-sr-xr-x 6 root wheel 32280 Apr 21 09:09:21 2001 /usr/bin/chfn < 8051 -r-sr-xr-x 6 root wheel 32280 Apr 21 09:09:21 2001 /usr/bin/chpass < 8051 -r-sr-xr-x 6 root wheel 32280 Apr 21 09:09:21 2001 /usr/bin/chsh < 8247 -r-sr-xr-x 1 root wheel 24508 Apr 21 09:09:59 2001 /usr/bin/crontab < 7937 -r-sr-sr-x 1 uucp dialer 123888 Apr 21 09:06:15 2001 /usr/bin/cu < 8079 -r-xr-sr-x 1 root kmem 13108 Apr 21 09:09:26 2001 /usr/bin/fstat < 8094 -r-xr-sr-x 1 root kmem 9832 Apr 21 09:09:27 2001 /usr/bin/ipcs < 8100 -r-sr-xr-x 1 root wheel 510 Apr 21 09:09:28 2001 /usr/bin/keyinfo < 8101 -r-sr-xr-x 1 root wheel 7444 Apr 21 09:09:28 2001 /usr/bin/keyinit < 8118 -r-sr-xr-x 1 root wheel 7004 Apr 21 09:09:31 2001 /usr/bin/lock < 8121 -r-sr-xr-x 1 root wheel 20436 Apr 21 09:14:06 2001 /usr/bin/login < 8252 -r-sr-sr-x 1 root daemon 23720 Apr 21 09:10:26 2001 /usr/bin/lpq < 8253 -r-sr-sr-x 1 root daemon 27304 Apr 21 09:10:26 2001 /usr/bin/lpr < 8254 -r-sr-sr-x 1 root daemon 22668 Apr 21 09:10:26 2001 /usr/bin/lprm < 7993 -r-sr-xr-x 1 man wheel 28512 Apr 21 09:06:46 2001 /usr/bin/man < 8140 -r-xr-sr-x 1 root kmem 85712 Apr 21 09:09:35 2001 /usr/bin/netstat < 8142 -r-xr-sr-x 1 root kmem 9936 Apr 21 09:09:35 2001 /usr/bin/nfsstat < 8270 -r-sr-xr-x 2 root wheel 30636 Apr 21 09:14:08 2001 /usr/bin/passwd < 8156 -r-sr-xr-x 1 root wheel 10440 Apr 21 09:09:37 2001 /usr/bin/quota < 8150 -r-sr-xr-x 1 root wheel 17564 Apr 21 09:14:09 2001 /usr/bin/rlogin < 8152 -r-sr-xr-x 1 root wheel 14748 Apr 21 09:14:10 2001 /usr/bin/rsh < 8161 -r-sr-xr-x 1 root wheel 11560 Apr 21 09:14:10 2001 /usr/bin/su < 8179 -r-xr-sr-x 1 root kmem 56144 Apr 21 09:09:41 2001 /usr/bin/systat < 8187 -r-xr-sr-x 1 root kmem 32344 Apr 21 09:09:42 2001 /usr/bin/top < 7938 -r-sr-xr-x 1 uucp wheel 88228 Apr 21 09:06:16 2001 /usr/bin/uucp < 7940 -r-sr-xr-x 1 uucp wheel 37312 Apr 21 09:06:16 2001 /usr/bin/uuname < 7943 -r-sr-sr-x 1 uucp dialer 96752 Apr 21 09:06:16 2001 /usr/bin/uustat < 7945 -r-sr-xr-x 1 uucp wheel 88844 Apr 21 09:06:16 2001 /usr/bin/uux < 8212 -r-xr-sr-x 1 root kmem 16368 Apr 21 09:09:47 2001 /usr/bin/vmstat < 8214 -r-xr-sr-x 1 root tty 9040 Apr 21 09:09:47 2001 /usr/bin/wall < 8222 -r-xr-sr-x 1 root tty 7500 Apr 21 09:09:48 2001 /usr/bin/write < 8051 -r-sr-xr-x 6 root wheel 32280 Apr 21 09:09:21 2001 /usr/bin/ypchfn < 8051 -r-sr-xr-x 6 root wheel 32280 Apr 21 09:09:21 2001 /usr/bin/ypchpass < 8051 -r-sr-xr-x 6 root wheel 32280 Apr 21 09:09:21 2001 /usr/bin/ypchsh < 8270 -r-sr-xr-x 2 root wheel 30636 Apr 21 09:14:08 2001 /usr/bin/yppasswd < 730141 -r-xr-sr-x 1 root games 7176 Apr 21 09:05:56 2001 /usr/games/dm < 476168 -r-sr-xr-x 1 root wheel 398740 Apr 21 09:10:28 2001 /usr/libexec/sendmail/sendmail < 492035 -r-sr-sr-x 1 uucp dialer 220704 Apr 21 09:06:15 2001 /usr/libexec/uucp/uucico < 492036 -r-sr-s--- 1 uucp uucp 99584 Apr 21 09:06:17 2001 /usr/libexec/uucp/uuxqt < 183184 -rwsr-xr-x 1 root wheel 641862 Aug 4 14:18:49 2001 /usr/local/bin/xscreensaver < 507951 -r-xr-sr-x 1 root kmem 4664 Apr 21 09:10:01 2001 /usr/sbin/ifmcstat < 507953 -r-xr-sr-x 1 root kmem 9608 Apr 21 09:10:01 2001 /usr/sbin/iostat < 508068 -r-xr-sr-x 1 root daemon 30196 Apr 21 09:10:25 2001 /usr/sbin/lpc < 507971 -r-sr-xr-x 1 root wheel 16348 Apr 21 09:10:04 2001 /usr/sbin/mrinfo < 507973 -r-sr-xr-x 1 root wheel 29896 Apr 21 09:10:05 2001 /usr/sbin/mtrace < 508111 -r-sr-xr-- 1 root network 295124 Apr 21 09:10:16 2001 /usr/sbin/ppp < 508112 -r-sr-xr-x 1 root wheel 95388 Apr 21 09:10:16 2001 /usr/sbin/pppd < 508009 -r-xr-sr-x 2 root kmem 14808 Apr 21 09:10:16 2001 /usr/sbin/pstat < 508032 -r-sr-x--- 1 root network 11112 Apr 21 09:10:19 2001 /usr/sbin/sliplogin < 508009 -r-xr-sr-x 2 root kmem 14808 Apr 21 09:10:16 2001 /usr/sbin/swapinfo < 508040 -r-sr-xr-x 1 root wheel 15112 Apr 21 09:10:20 2001 /usr/sbin/timedc < 508041 -r-sr-xr-x 1 root wheel 13168 Apr 21 09:10:20 2001 /usr/sbin/traceroute < 508042 -r-sr-xr-x 1 root bin 14952 Apr 21 09:10:20 2001 /usr/sbin/traceroute6 < 508043 -r-xr-sr-x 1 root kmem 8040 Apr 21 09:10:20 2001 /usr/sbin/trpt --- > 31242 -r-xr-sr-x 1 root operator 56892 Apr 21 05:05:46 2001 /bin/df > 31254 -r-sr-xr-x 1 root wheel 317400 Apr 21 05:13:35 2001 /bin/rcp > 46878 -r-xr-sr-x 1 root kmem 62792 Apr 21 05:08:02 2001 /sbin/ccdconfig > 46884 -r-xr-sr-x 1 root kmem 69512 Apr 21 05:08:03 2001 /sbin/dmesg > 46946 -r-xr-sr-x 2 root tty 329912 Apr 21 05:14:14 2001 /sbin/dump > 46922 -r-sr-xr-x 1 root wheel 196376 Apr 21 05:08:15 2001 /sbin/ping > 46923 -r-sr-xr-x 1 root bin 191380 Apr 21 05:08:15 2001 /sbin/ping6 > 46946 -r-xr-sr-x 2 root tty 329912 Apr 21 05:14:14 2001 /sbin/rdump > 46948 -r-xr-sr-x 2 root tty 356520 Apr 21 05:14:18 2001 /sbin/restore > 46885 -r-sr-xr-x 1 root wheel 192484 Apr 21 05:08:16 2001 /sbin/route > 46948 -r-xr-sr-x 2 root tty 356520 Apr 21 05:14:18 2001 /sbin/rrestore > 46932 -r-sr-x--- 1 root operator 165008 Apr 21 05:08:17 2001 /sbin/shutdown > 548209 -rwsr-xr-x 1 root wheel 7533 Mar 22 00:28:49 2001 /usr/X11R6/bin/Xwrapper > 548170 -rwsr-xr-x 1 root wheel 11980 Mar 22 00:27:06 2001 /usr/X11R6/bin/dga > 326018 -r-sr-xr-x 1 root wheel 8948 Apr 18 17:44:29 2001 /usr/X11R6/bin/gnome-pty-helper > 548203 -rwsr-xr-x 1 root wheel 166040 Mar 22 00:27:26 2001 /usr/X11R6/bin/xterm > 8039 -r-sr-xr-x 4 root wheel 19540 Apr 21 05:09:19 2001 /usr/bin/at > 8039 -r-sr-xr-x 4 root wheel 19540 Apr 21 05:09:19 2001 /usr/bin/atq > 8039 -r-sr-xr-x 4 root wheel 19540 Apr 21 05:09:19 2001 /usr/bin/atrm > 8039 -r-sr-xr-x 4 root wheel 19540 Apr 21 05:09:19 2001 /usr/bin/batch > 8051 -r-sr-xr-x 6 root wheel 32280 Apr 21 05:09:21 2001 /usr/bin/chfn > 8051 -r-sr-xr-x 6 root wheel 32280 Apr 21 05:09:21 2001 /usr/bin/chpass > 8051 -r-sr-xr-x 6 root wheel 32280 Apr 21 05:09:21 2001 /usr/bin/chsh > 8247 -r-sr-xr-x 1 root wheel 24508 Apr 21 05:09:59 2001 /usr/bin/crontab > 7937 -r-sr-sr-x 1 uucp dialer 123888 Apr 21 05:06:15 2001 /usr/bin/cu > 8079 -r-xr-sr-x 1 root kmem 13108 Apr 21 05:09:26 2001 /usr/bin/fstat > 8094 -r-xr-sr-x 1 root kmem 9832 Apr 21 05:09:27 2001 /usr/bin/ipcs > 8100 -r-sr-xr-x 1 root wheel 510 Apr 21 05:09:28 2001 /usr/bin/keyinfo > 8101 -r-sr-xr-x 1 root wheel 7444 Apr 21 05:09:28 2001 /usr/bin/keyinit > 8118 -r-sr-xr-x 1 root wheel 7004 Apr 21 05:09:31 2001 /usr/bin/lock > 8121 -r-sr-xr-x 1 root wheel 20436 Apr 21 05:14:06 2001 /usr/bin/login > 8252 -r-sr-sr-x 1 root daemon 23720 Apr 21 05:10:26 2001 /usr/bin/lpq > 8253 -r-sr-sr-x 1 root daemon 27304 Apr 21 05:10:26 2001 /usr/bin/lpr > 8254 -r-sr-sr-x 1 root daemon 22668 Apr 21 05:10:26 2001 /usr/bin/lprm > 7993 -r-sr-xr-x 1 man wheel 28512 Apr 21 05:06:46 2001 /usr/bin/man > 8140 -r-xr-sr-x 1 root kmem 85712 Apr 21 05:09:35 2001 /usr/bin/netstat > 8142 -r-xr-sr-x 1 root kmem 9936 Apr 21 05:09:35 2001 /usr/bin/nfsstat > 8270 -r-sr-xr-x 2 root wheel 30636 Apr 21 05:14:08 2001 /usr/bin/passwd > 8156 -r-sr-xr-x 1 root wheel 10440 Apr 21 05:09:37 2001 /usr/bin/quota > 8150 -r-sr-xr-x 1 root wheel 17564 Apr 21 05:14:09 2001 /usr/bin/rlogin > 8152 -r-sr-xr-x 1 root wheel 14748 Apr 21 05:14:10 2001 /usr/bin/rsh > 8161 -r-sr-xr-x 1 root wheel 11560 Apr 21 05:14:10 2001 /usr/bin/su > 8179 -r-xr-sr-x 1 root kmem 56144 Apr 21 05:09:41 2001 /usr/bin/systat > 8187 -r-xr-sr-x 1 root kmem 32344 Apr 21 05:09:42 2001 /usr/bin/top > 7938 -r-sr-xr-x 1 uucp wheel 88228 Apr 21 05:06:16 2001 /usr/bin/uucp > 7940 -r-sr-xr-x 1 uucp wheel 37312 Apr 21 05:06:16 2001 /usr/bin/uuname > 7943 -r-sr-sr-x 1 uucp dialer 96752 Apr 21 05:06:16 2001 /usr/bin/uustat > 7945 -r-sr-xr-x 1 uucp wheel 88844 Apr 21 05:06:16 2001 /usr/bin/uux > 8212 -r-xr-sr-x 1 root kmem 16368 Apr 21 05:09:47 2001 /usr/bin/vmstat > 8214 -r-xr-sr-x 1 root tty 9040 Apr 21 05:09:47 2001 /usr/bin/wall > 8222 -r-xr-sr-x 1 root tty 7500 Apr 21 05:09:48 2001 /usr/bin/write > 8051 -r-sr-xr-x 6 root wheel 32280 Apr 21 05:09:21 2001 /usr/bin/ypchfn > 8051 -r-sr-xr-x 6 root wheel 32280 Apr 21 05:09:21 2001 /usr/bin/ypchpass > 8051 -r-sr-xr-x 6 root wheel 32280 Apr 21 05:09:21 2001 /usr/bin/ypchsh > 8270 -r-sr-xr-x 2 root wheel 30636 Apr 21 05:14:08 2001 /usr/bin/yppasswd > 730141 -r-xr-sr-x 1 root games 7176 Apr 21 05:05:56 2001 /usr/games/dm > 476168 -r-sr-xr-x 1 root wheel 398740 Apr 21 05:10:28 2001 /usr/libexec/sendmail/sendmail > 492035 -r-sr-sr-x 1 uucp dialer 220704 Apr 21 05:06:15 2001 /usr/libexec/uucp/uucico > 492036 -r-sr-s--- 1 uucp uucp 99584 Apr 21 05:06:17 2001 /usr/libexec/uucp/uuxqt > 207208 -rwsr-xr-x 1 root wheel 4632 Apr 18 20:57:53 2001 /usr/local/bin/artswrapper > 365951 -rwsr-xr-x 1 root wheel 8701 Apr 19 00:58:19 2001 /usr/local/bin/kcheckpass > 365960 -rwxr-sr-x 1 root nobody 68088 Apr 19 01:00:57 2001 /usr/local/bin/kdesud > 365981 -rwsr-xr-x 1 root wheel 5336 Apr 19 01:04:54 2001 /usr/local/bin/konsole_grantpty > 691408 -rwsr-xr-x 1 root wheel 480944 Apr 18 22:48:57 2001 /usr/local/bin/kppp > 183184 -rwsr-xr-x 1 root wheel 641862 Aug 4 10:18:49 2001 /usr/local/bin/xscreensaver > 507951 -r-xr-sr-x 1 root kmem 4664 Apr 21 05:10:01 2001 /usr/sbin/ifmcstat > 507953 -r-xr-sr-x 1 root kmem 9608 Apr 21 05:10:01 2001 /usr/sbin/iostat > 508068 -r-xr-sr-x 1 root daemon 30196 Apr 21 05:10:25 2001 /usr/sbin/lpc > 507971 -r-sr-xr-x 1 root wheel 16348 Apr 21 05:10:04 2001 /usr/sbin/mrinfo > 507973 -r-sr-xr-x 1 root wheel 29896 Apr 21 05:10:05 2001 /usr/sbin/mtrace > 508111 -r-sr-xr-- 1 root network 295124 Apr 21 05:10:16 2001 /usr/sbin/ppp > 508112 -r-sr-xr-x 1 root wheel 95388 Apr 21 05:10:16 2001 /usr/sbin/pppd > 508009 -r-xr-sr-x 2 root kmem 14808 Apr 21 05:10:16 2001 /usr/sbin/pstat > 508032 -r-sr-x--- 1 root network 11112 Apr 21 05:10:19 2001 /usr/sbin/sliplogin > 508009 -r-xr-sr-x 2 root kmem 14808 Apr 21 05:10:16 2001 /usr/sbin/swapinfo > 508040 -r-sr-xr-x 1 root wheel 15112 Apr 21 05:10:20 2001 /usr/sbin/timedc > 508041 -r-sr-xr-x 1 root wheel 13168 Apr 21 05:10:20 2001 /usr/sbin/traceroute > 508042 -r-sr-xr-x 1 root bin 14952 Apr 21 05:10:20 2001 /usr/sbin/traceroute6 > 508043 -r-xr-sr-x 1 root kmem 8040 Apr 21 05:10:20 2001 /usr/sbin/trpt Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10108121043240.82545-100000>
