From owner-freebsd-security Tue Jul 24 16:19:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from oksala.org (modemcable048.156-201-24.mtl.mc.videotron.ca [24.201.156.48]) by hub.freebsd.org (Postfix) with ESMTP id D63F137B407 for ; Tue, 24 Jul 2001 16:19:48 -0700 (PDT) (envelope-from silence@oksala.org) Received: from oksala.org (silence@silence [24.201.156.48]) by oksala.org (8.11.4/8.11.1) with ESMTP id f6ONGH377325 for ; Tue, 24 Jul 2001 19:16:18 -0400 (EDT) (envelope-from silence@oksala.org) Message-ID: <3B5E01C0.4234B000@oksala.org> Date: Tue, 24 Jul 2001 19:16:16 -0400 From: Pierre-Luc =?iso-8859-1?Q?Lesp=E9rance?= X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.3-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: security@freebsd.org Subject: Re: Security Check Diffs Question References: <200107241632.LAA05639@chrome.jdl.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Jon Loeliger wrote: > > Hi Folks, > > This morning, on a machine that's been up for 33 days, > I suddenly saw these /etc/security diffs: > > setuid diffs: > 20,22c20,22 > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chfn > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chpass > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chsh > --- > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chfn > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chpass > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chsh > 53,55c53,55 > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchfn > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchpass > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchsh > --- > > 8270 -r-sr-xr-x 1 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchfn > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchpass > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchsh If your box is not really* important. You sould lets it like that and wait for the return of the Evil telnetd cracker (if any) and mail a little paper to is ISP. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message