From owner-freebsd-security Tue Jul 24 15:47:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-169-104-149.dsl.lsan03.pacbell.net [64.169.104.149]) by hub.freebsd.org (Postfix) with ESMTP id CE90137B408 for ; Tue, 24 Jul 2001 15:47:12 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id EF91A66E04; Tue, 24 Jul 2001 15:47:11 -0700 (PDT) Date: Tue, 24 Jul 2001 15:47:11 -0700 From: Kris Kennaway To: Peter Pentchev Cc: Jon Loeliger , security@freebsd.org Subject: Re: Security Check Diffs Question Message-ID: <20010724154711.B36368@xor.obsecurity.org> References: <200107241632.LAA05639@chrome.jdl.com> <20010724205228.A16243@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="dc+cDN39EJAMEtIO" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010724205228.A16243@ringworld.oblivion.bg>; from roam@orbitel.bg on Tue, Jul 24, 2001 at 08:52:28PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --dc+cDN39EJAMEtIO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jul 24, 2001 at 08:52:28PM +0300, Peter Pentchev wrote: > On Tue, Jul 24, 2001 at 11:32:23AM -0500, Jon Loeliger wrote: > > Hi Folks, > >=20 > > This morning, on a machine that's been up for 33 days, > > I suddenly saw these /etc/security diffs: > >=20 > > setuid diffs: > > 20,22c20,22 > > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/c= hfn > > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/c= hpass > > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/c= hsh > > --- > > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/c= hfn > > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/c= hpass > > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/c= hsh >=20 > This means that there were 6 files hardlinked to inode 8047, now there are > only five. One of the links was removed and probably replaced with somet= hing > else, which cannot point to the same inode. >=20 > > 53,55c53,55 > > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/y= pchfn > > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/y= pchpass > > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/y= pchsh > > --- > > > 8270 -r-sr-xr-x 1 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/y= pchfn > > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/y= pchpass > > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/y= pchsh >=20 > ypchfn changed its inode number, and its link count. This means that > somebody performed an unlink() (delete) on ypchfn, and then created > a new ypchfn with the same size, timestamp, permissions and stuff, > but still a new file - and that's where the hardlink count + inum > tracking of /etc/security kicked in and alerted you. This is a signature I've seen before; chances are someone has gained root on your machine (probably through telnetd) Kris --dc+cDN39EJAMEtIO Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7XfrvWry0BWjoQKURAvJeAKDsCZkpIj6+SPgDlJKLcZcHHXsGQQCfc7uh mPBrUpzcRNEQq2OkAA9sHhg= =jAzX -----END PGP SIGNATURE----- --dc+cDN39EJAMEtIO-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message