From owner-freebsd-security Mon Nov 9 05:06:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA29546 for freebsd-security-outgoing; Mon, 9 Nov 1998 05:06:54 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA29539 for ; Mon, 9 Nov 1998 05:06:47 -0800 (PST) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.9.1/8.8.8) id FAA09579; Mon, 9 Nov 1998 05:05:53 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda09575; Mon Nov 9 05:05:39 1998 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.1/8.9.1) id FAA04329; Mon, 9 Nov 1998 05:05:38 -0800 (PST) Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by passer.osg.gov.bc.ca, id smtpdnN4321; Mon Nov 9 05:05:08 1998 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.1/8.9.1) id UAA15806; Sun, 8 Nov 1998 20:40:04 -0800 (PST) Message-Id: <199811090440.UAA15806@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdP15799; Sun Nov 8 20:40:02 1998 X-Mailer: exmh version 2.0.2 2/24/98 Reply-to: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: cy To: Brett Glass cc: tarkhil@synchroline.ru, mwlucas@exceptionet.com, freebsd-security@FreeBSD.ORG Subject: Re: *huge* setuid diffs In-reply-to: Your message of "Fri, 06 Nov 1998 09:21:03 MST." <4.1.19981106091836.04eb61b0@127.0.0.1> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 08 Nov 1998 20:39:59 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <4.1.19981106091836.04eb61b0@127.0.0.1>, Brett Glass writes: > This might be a breakin, but it also might be due to the VM > bug that changes file mod dates. (We went to red alert > over that one before we found out about it.) > > This bug shouldn't be allowed to persist, as it causes problems > with tripwire, etc. I understand that this has been fixed in 3.0. > > --Brett > > At 05:19 PM 11/6/98 +0300, Alexander B. Povolotsky wrote: > > > <199811061258.HAA22049@easeway.com>mwlucas@exceptionet.com writes: > >>I just got /etc/security mail from two 2.2.6 servers I administer. The > >>setuid diffs list every setuid program on the server as having been removed > >>and replaced. > >> > >>We haven't done a make world. We haven't touched much of anything. > >> > >>Is this normal, or should I be worried? > >*IMMEDIATLY* shut down both server and do not bring them to Internet until > >you'll found the reason. > > > >It is *QUITE* abnormal. I would not call it "exploit", but it is something t > o > >understand at once. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: cschuber@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Government of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message