From owner-freebsd-security Tue Jul 24 9:28:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from chrome.jdl.com (chrome.jdl.com [209.39.144.2]) by hub.freebsd.org (Postfix) with ESMTP id 40B0C37B409 for ; Tue, 24 Jul 2001 09:28:01 -0700 (PDT) (envelope-from jdl@chrome.jdl.com) Received: from chrome.jdl.com (localhost [127.0.0.1]) by chrome.jdl.com (8.9.1/8.9.1) with ESMTP id LAA05639 for ; Tue, 24 Jul 2001 11:32:26 -0500 (CDT) (envelope-from jdl@chrome.jdl.com) Message-Id: <200107241632.LAA05639@chrome.jdl.com> To: security@freebsd.org Subject: Security Check Diffs Question Clarity-Index: null Threat-Level: none Software-Engineering-Dead-Seriousness: There's no excuse for unreadable code. Net-thought: If you meet the Buddha on the net, put him in your Kill file. Date: Tue, 24 Jul 2001 11:32:23 -0500 From: Jon Loeliger Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Folks, This morning, on a machine that's been up for 33 days, I suddenly saw these /etc/security diffs: setuid diffs: 20,22c20,22 < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chfn < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chpass < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chsh --- > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chfn > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chpass > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chsh 53,55c53,55 < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchfn < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchpass < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchsh --- > 8270 -r-sr-xr-x 1 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchfn > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchpass > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchsh So, how paranoid am I here? How concerned am I? What compromised of my system just took place? Couple things to notice: - The files now take fewer 512K blocks, but their sizes are the same? - Most of the inodes staid the same. Exact same. Are these hard linked files? Should be, right? - The inode for ypchfn changed! It's no longer hard linked, right? No form of disk restructuring, fsck, defrag, etc, was initiated by me. Note that: www 181 # cmp /usr/bin/{ypchpass,ypchfn} /usr/bin/ypchpass /usr/bin/ypchfn differ: char 25, line 1 Here is a `strings /usr/bin/ypchfn`: www 182 # strings /usr/bin/ypchfn /usr/libexec/ld-elf.so.1 FreeBSD libcrypt.so.2 _DYNAMIC _init __deregister_frame_info crypt strcmp _fini _GLOBAL_OFFSET_TABLE_ __register_frame_info libc.so.4 strerror execl environ fprintf __progname __error setgid __sF execv getpwuid getpwnam atexit exit strchr execvp setuid _etext _edata __bss_start _end 8/u QR2cc.wsLFbKU root If someone didn't hack my system, I took a disk hit and lost part of that file, right? What other log files am I disecting or where else am I poking for further evidence? Am I blowing away the bogus(?) /usr/bin/ypchfn and re-making it a hard link to the others again? jdl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message