From owner-freebsd-questions@FreeBSD.ORG Fri Jul 23 15:33:10 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04C6D16A4CE for ; Fri, 23 Jul 2004 15:33:10 +0000 (GMT) Received: from pearl.ibctech.ca (dev.eagle.ca [209.167.58.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7CAB643D41 for ; Fri, 23 Jul 2004 15:33:08 +0000 (GMT) (envelope-from iaccounts@ibctech.ca) Received: (qmail 19284 invoked by uid 1002); 23 Jul 2004 15:33:18 -0000 Received: from iaccounts@ibctech.ca by pearl.ibctech.ca by uid 89 with qmail-scanner-1.22 (clamscan: 0.73. spamassassin: 2.63. Clear:RC:1(127.0.0.1):. Processed in 1.21315 secs); 23 Jul 2004 15:33:18 -0000 Received: from unknown (HELO webmail.ibctech.ca) (127.0.0.1) by localhost.ibctech.ca with SMTP; 23 Jul 2004 15:33:16 -0000 Received: from 209.167.16.15 (SquirrelMail authenticated user steve@ibctech.ca); by webmail.ibctech.ca with HTTP; Fri, 23 Jul 2004 11:33:16 -0400 (EDT) Message-ID: <1719.209.167.16.15.1090596796.squirrel@209.167.16.15> In-Reply-To: <1557.209.167.16.15.1090593146.squirrel@209.167.16.15> References: <1557.209.167.16.15.1090593146.squirrel@209.167.16.15> Date: Fri, 23 Jul 2004 11:33:16 -0400 (EDT) From: "Steve Bertrand" To: freebsd-questions@freebsd.org User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: Re: setuid diffs... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Jul 2004 15:33:10 -0000 > Hi all, > > Late yesterday, I ``cloned'' my single, primary IDE FreeBSD hard disk onto > a larger one. Then, using a Promise ATA IDE RAID controller I built a > RAID-1 array. > > Everything went as planned, the box is now back up using the 'ar' driver > for the array. However, in the security run output last night, I got this: > > Checking setuid files and devices: > > pearl.ibctech.ca setuid diffs: > 1,73c1,73 > < 106 -r-sr-xr-x 1 root wheel 251444 Jul 16 12:07:10 2004 /bin/rcp < > 15904 -r-xr-sr-x 1 root kmem 66216 Jul 16 12:07:25 2004 > /sbin/ccdconfig > < 15949 -r-sr-xr-x 1 root wheel 203992 Jul 16 12:07:28 2004 > /sbin/ping > > and down further: > > - > 1036 -r-sr-xr-x 1 root wheel 251444 Jul 16 12:07:10 2004 > /bin/rcp > - > 1292 -r-xr-sr-x 1 root kmem 66216 Jul 16 12:07:25 2004 > /sbin/ccdconfig > - > 1339 -r-sr-xr-x 1 root wheel 203992 Jul 16 12:07:28 2004 > /sbin/ping > > Did this happen because the files were transferred from one disk to > another and the system knew it? Or should I be concerned of a possible > 'coincidental' invasion? > Thanks all for the replies. I assumed it was just due to the move, but always better safe than sorry ;o) Steve > Tks for any help! > > Steve > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" >