Date: Mon, 30 Oct 95 20:45:15 CST From: Joe Greco <jgreco@solaria.sol.net> To: hackers@freebsd.org Subject: hummin security check output (fwd) Message-ID: <199510310245.UAA08217@solaria.sol.net>
next in thread | raw e-mail | index | archive | help
During a period of unusual distress (cause unknown) followed by a panic and automatic reboot, my INN news server "hummin" ran out of swap for a period of several hours - and the strangest thing happened. It appears that a number of running programs were "touched" in the midst of the period it was running out of swap... Background: FreeBSD 2.0.5R, 48MB RAM, ASUS SP3G AMD DX4/100, NCR 810 SCSI, AHA-1542B SCSI Forwarded message: > From root@hummin.sol.net Sun Oct 29 03:57:03 1995 > Date: Sun, 29 Oct 1995 02:00:14 -0600 > From: Charlie Root <root@hummin.sol.net> > Message-Id: <199510290800.CAA20918@hummin.sol.net> > Subject: hummin security check output > Apparently-To: root@hummin.sol.net > > checking setuid files and devices: > hummin setuid/device diffs: > 31c31 > < -r-sr-sr-x 3 root kmem 180224 Jun 10 05:05:54 1995 /usr/bin/mailq > --- > > -r-sr-sr-x 3 root kmem 180224 Oct 28 03:37:14 1995 /usr/bin/mailq > 35c35 > < -r-sr-sr-x 3 root kmem 180224 Jun 10 05:05:54 1995 /usr/bin/newaliases > --- > > -r-sr-sr-x 3 root kmem 180224 Oct 28 03:37:14 1995 /usr/bin/newaliases > 73c73 > < -r-sr-sr-x 3 root kmem 180224 Jun 10 05:05:54 1995 /usr/sbin/sendmail > --- > > -r-sr-sr-x 3 root kmem 180224 Oct 28 03:37:14 1995 /usr/sbin/sendmail Woah??? Cool. Since I was out of town and nobody else has root access to this system, nobody was logged in, and this happened during a period of VM distress, I would have to say that this was somehow self-inflicted by the box itself. The binaries were compared to the distributed ones and they are identical. I was unable to locate any other binaries where this happened. However, a quick audit revealed: (hummin.root.p0-2) 8:36pm /sbin 386 # find /usr -ls | grep "Oct 28" 7969 368 -r-sr-sr-x 3 root kmem 180224 Oct 28 03:37 /usr/bin/newaliases 7969 368 -r-sr-sr-x 3 root kmem 180224 Oct 28 03:37 /usr/bin/mailq 15521 848 -r--r--r-- 1 bin bin 425907 Oct 28 04:27 /usr/lib/libc.so.2.1 46084 2 drwxr-xr-x 21 bin bin 512 Oct 28 03:36 /usr/local/man 46507 14 -rw-r--r-- 1 root bin 6342 Oct 28 03:36 /usr/local/man/whatis 23267 2 drwx------ 5 root bin 512 Oct 28 03:36 /usr/local/X11R6/man 23118 72 -rw-r--r-- 1 root bin 36197 Oct 28 03:36 /usr/local/X11R6/man/whatis 7969 368 -r-sr-sr-x 3 root kmem 180224 Oct 28 03:37 /usr/sbin/sendmail 8626 2 drwxr-xr-x 10 bin bin 512 Oct 28 03:34 /usr/share/man 8618 144 -rw-r--r-- 1 root bin 73445 Oct 28 03:34 /usr/share/man/whatis Oops - well I just figured out what caused the VM flailing... the locate database rebuild. A harmless effect, perhaps, but disturbing to see dates changing, particularly on things like libc!!!!... Particularly since that one was different. ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/342-4847
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199510310245.UAA08217>