From owner-freebsd-hackers Mon Oct 30 18:45:06 1995 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id SAA04763 for hackers-outgoing; Mon, 30 Oct 1995 18:45:06 -0800 Received: from demerzel.sol.net (demerzel.sol.net [204.95.172.242]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id SAA04736 for ; Mon, 30 Oct 1995 18:44:57 -0800 Received: from solaria.sol.net (solaria.sol.net [206.55.65.75]) by demerzel.sol.net (8.6.11/8.6.9) with ESMTP id UAA04020 for ; Mon, 30 Oct 1995 20:42:25 -0600 Received: from localhost by solaria.sol.net (8.5/8.5) id UAA08217; Mon, 30 Oct 1995 20:45:18 -0600 From: Joe Greco Message-Id: <199510310245.UAA08217@solaria.sol.net> Subject: hummin security check output (fwd) To: hackers@freebsd.org Date: Mon, 30 Oct 95 20:45:15 CST Reply-To: jgreco@mei.com X-Mailer: ELM [version 2.4dev PL65] MIME-Version: 1.0 Content-Type: text Content-Length: 3094 Sender: owner-hackers@freebsd.org Precedence: bulk During a period of unusual distress (cause unknown) followed by a panic and automatic reboot, my INN news server "hummin" ran out of swap for a period of several hours - and the strangest thing happened. It appears that a number of running programs were "touched" in the midst of the period it was running out of swap... Background: FreeBSD 2.0.5R, 48MB RAM, ASUS SP3G AMD DX4/100, NCR 810 SCSI, AHA-1542B SCSI Forwarded message: > From root@hummin.sol.net Sun Oct 29 03:57:03 1995 > Date: Sun, 29 Oct 1995 02:00:14 -0600 > From: Charlie Root > Message-Id: <199510290800.CAA20918@hummin.sol.net> > Subject: hummin security check output > Apparently-To: root@hummin.sol.net > > checking setuid files and devices: > hummin setuid/device diffs: > 31c31 > < -r-sr-sr-x 3 root kmem 180224 Jun 10 05:05:54 1995 /usr/bin/mailq > --- > > -r-sr-sr-x 3 root kmem 180224 Oct 28 03:37:14 1995 /usr/bin/mailq > 35c35 > < -r-sr-sr-x 3 root kmem 180224 Jun 10 05:05:54 1995 /usr/bin/newaliases > --- > > -r-sr-sr-x 3 root kmem 180224 Oct 28 03:37:14 1995 /usr/bin/newaliases > 73c73 > < -r-sr-sr-x 3 root kmem 180224 Jun 10 05:05:54 1995 /usr/sbin/sendmail > --- > > -r-sr-sr-x 3 root kmem 180224 Oct 28 03:37:14 1995 /usr/sbin/sendmail Woah??? Cool. Since I was out of town and nobody else has root access to this system, nobody was logged in, and this happened during a period of VM distress, I would have to say that this was somehow self-inflicted by the box itself. The binaries were compared to the distributed ones and they are identical. I was unable to locate any other binaries where this happened. However, a quick audit revealed: (hummin.root.p0-2) 8:36pm /sbin 386 # find /usr -ls | grep "Oct 28" 7969 368 -r-sr-sr-x 3 root kmem 180224 Oct 28 03:37 /usr/bin/newaliases 7969 368 -r-sr-sr-x 3 root kmem 180224 Oct 28 03:37 /usr/bin/mailq 15521 848 -r--r--r-- 1 bin bin 425907 Oct 28 04:27 /usr/lib/libc.so.2.1 46084 2 drwxr-xr-x 21 bin bin 512 Oct 28 03:36 /usr/local/man 46507 14 -rw-r--r-- 1 root bin 6342 Oct 28 03:36 /usr/local/man/whatis 23267 2 drwx------ 5 root bin 512 Oct 28 03:36 /usr/local/X11R6/man 23118 72 -rw-r--r-- 1 root bin 36197 Oct 28 03:36 /usr/local/X11R6/man/whatis 7969 368 -r-sr-sr-x 3 root kmem 180224 Oct 28 03:37 /usr/sbin/sendmail 8626 2 drwxr-xr-x 10 bin bin 512 Oct 28 03:34 /usr/share/man 8618 144 -rw-r--r-- 1 root bin 73445 Oct 28 03:34 /usr/share/man/whatis Oops - well I just figured out what caused the VM flailing... the locate database rebuild. A harmless effect, perhaps, but disturbing to see dates changing, particularly on things like libc!!!!... Particularly since that one was different. ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/342-4847