Date: Tue, 24 Jul 2001 11:32:23 -0500 From: Jon Loeliger <jdl@jdl.com> To: security@freebsd.org Subject: Security Check Diffs Question Message-ID: <200107241632.LAA05639@chrome.jdl.com>
next in thread | raw e-mail | index | archive | help
Hi Folks, This morning, on a machine that's been up for 33 days, I suddenly saw these /etc/security diffs: <host> setuid diffs: 20,22c20,22 < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chfn < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chpass < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chsh --- > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chfn > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chpass > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chsh 53,55c53,55 < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchfn < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchpass < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchsh --- > 8270 -r-sr-xr-x 1 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchfn > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchpass > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchsh So, how paranoid am I here? How concerned am I? What compromised of my system just took place? Couple things to notice: - The files now take fewer 512K blocks, but their sizes are the same? - Most of the inodes staid the same. Exact same. Are these hard linked files? Should be, right? - The inode for ypchfn changed! It's no longer hard linked, right? No form of disk restructuring, fsck, defrag, etc, was initiated by me. Note that: www 181 # cmp /usr/bin/{ypchpass,ypchfn} /usr/bin/ypchpass /usr/bin/ypchfn differ: char 25, line 1 Here is a `strings /usr/bin/ypchfn`: www 182 # strings /usr/bin/ypchfn /usr/libexec/ld-elf.so.1 FreeBSD libcrypt.so.2 _DYNAMIC _init __deregister_frame_info crypt strcmp _fini _GLOBAL_OFFSET_TABLE_ __register_frame_info libc.so.4 strerror execl environ fprintf __progname __error setgid __sF execv getpwuid getpwnam atexit exit strchr execvp setuid _etext _edata __bss_start _end 8/u QR2cc.wsLFbKU root If someone didn't hack my system, I took a disk hit and lost part of that file, right? What other log files am I disecting or where else am I poking for further evidence? Am I blowing away the bogus(?) /usr/bin/ypchfn and re-making it a hard link to the others again? jdl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107241632.LAA05639>