Date: Tue, 24 Jul 2001 11:32:23 -0500 From: Jon Loeliger <jdl@jdl.com> To: security@freebsd.org Subject: Security Check Diffs Question Message-ID: <200107241632.LAA05639@chrome.jdl.com>
next in thread | raw e-mail | index | archive | help
Hi Folks,
This morning, on a machine that's been up for 33 days,
I suddenly saw these /etc/security diffs:
<host> setuid diffs:
20,22c20,22
< 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chfn
< 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chpass
< 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chsh
---
> 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chfn
> 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chpass
> 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chsh
53,55c53,55
< 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchfn
< 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchpass
< 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchsh
---
> 8270 -r-sr-xr-x 1 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchfn
> 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchpass
> 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchsh
So, how paranoid am I here? How concerned am I?
What compromised of my system just took place?
Couple things to notice:
- The files now take fewer 512K blocks,
but their sizes are the same?
- Most of the inodes staid the same. Exact same.
Are these hard linked files? Should be, right?
- The inode for ypchfn changed!
It's no longer hard linked, right?
No form of disk restructuring, fsck, defrag, etc, was initiated by me.
Note that:
www 181 # cmp /usr/bin/{ypchpass,ypchfn}
/usr/bin/ypchpass /usr/bin/ypchfn differ: char 25, line 1
Here is a `strings /usr/bin/ypchfn`:
www 182 # strings /usr/bin/ypchfn
/usr/libexec/ld-elf.so.1
FreeBSD
libcrypt.so.2
_DYNAMIC
_init
__deregister_frame_info
crypt
strcmp
_fini
_GLOBAL_OFFSET_TABLE_
__register_frame_info
libc.so.4
strerror
execl
environ
fprintf
__progname
__error
setgid
__sF
execv
getpwuid
getpwnam
atexit
exit
strchr
execvp
setuid
_etext
_edata
__bss_start
_end
8/u
QR2cc.wsLFbKU
root
If someone didn't hack my system, I took a disk hit and lost
part of that file, right?
What other log files am I disecting or where else am I poking
for further evidence?
Am I blowing away the bogus(?) /usr/bin/ypchfn and re-making
it a hard link to the others again?
jdl
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107241632.LAA05639>