Date: Sun, 08 Nov 1998 20:39:59 -0800 From: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca> To: Brett Glass <brett@lariat.org> Cc: tarkhil@synchroline.ru, mwlucas@exceptionet.com, freebsd-security@FreeBSD.ORG Subject: Re: *huge* setuid diffs Message-ID: <199811090440.UAA15806@cwsys.cwsent.com> In-Reply-To: Your message of "Fri, 06 Nov 1998 09:21:03 MST." <4.1.19981106091836.04eb61b0@127.0.0.1>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <4.1.19981106091836.04eb61b0@127.0.0.1>, Brett Glass writes: > This might be a breakin, but it also might be due to the VM > bug that changes file mod dates. (We went to red alert > over that one before we found out about it.) > > This bug shouldn't be allowed to persist, as it causes problems > with tripwire, etc. I understand that this has been fixed in 3.0. > > --Brett > > At 05:19 PM 11/6/98 +0300, Alexander B. Povolotsky wrote: > > > <199811061258.HAA22049@easeway.com>mwlucas@exceptionet.com writes: > >>I just got /etc/security mail from two 2.2.6 servers I administer. The > >>setuid diffs list every setuid program on the server as having been removed > >>and replaced. > >> > >>We haven't done a make world. We haven't touched much of anything. > >> > >>Is this normal, or should I be worried? > >*IMMEDIATLY* shut down both server and do not bring them to Internet until > >you'll found the reason. > > > >It is *QUITE* abnormal. I would not call it "exploit", but it is something t > o > >understand at once. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: cschuber@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Government of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199811090440.UAA15806>