From owner-freebsd-questions Thu Aug 8 20:44: 6 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CCF5F37B400 for ; Thu, 8 Aug 2002 20:44:02 -0700 (PDT) Received: from c007.snv.cp.net (h013.c007.snv.cp.net [209.228.33.241]) by mx1.FreeBSD.org (Postfix) with SMTP id 4E77443E42 for ; Thu, 8 Aug 2002 20:44:02 -0700 (PDT) (envelope-from backdoc@crotchett.com) Received: (cpmta 13527 invoked from network); 8 Aug 2002 20:43:01 -0700 Received: from 65.187.59.153 (HELO winbox1) by smtp.directvinternet.com (209.228.33.241) with SMTP; 8 Aug 2002 20:43:01 -0700 X-Sent: 9 Aug 2002 03:43:01 GMT Message-ID: <055301c23f56$d3c5fb20$6401a8c0@crotchett.com> From: "Darren" To: "fbsd-questions" Subject: strange ls and date commands (innocent or suspicious?) Date: Thu, 8 Aug 2002 22:42:46 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I came across two files "ls" and "date" in an odd place with slightly different permissions and different groups. I'm running 4.6 with some stuff backed up from 4.4. It seems that I copied them from my old box. I don't think this box has been compromised. Nothing other than port 80 and 25 have ever been open, plus I keep a close watch on it with aide. It's a new install and I'm keeping it up-to-date. But, I wonder if my old one was. Do you think these filenames are suspicious? Do they have logical explanations? in /hd2/var/ftp/bin, I have: ---x--x--x 1 root operator 298904 Jun 16 09:39 ls ---x--x--x 1 root operator 185792 Jun 16 09:39 date in /bin, I have: -r-xr-xr-x 1 root wheel 298904 Jun 10 23:18 /bin/ls -r-xr-xr-x 1 root wheel 185792 Jun 10 23:18 /bin/date scsibox# which ls /bin/ls scsibox# which date /bin/date Also, I found this entry in /etc/passwd: ftp:*:14:5::0:0:Anonymous FTP Admin:/hd2/var/ftp:/nonexistent I took it out. But, it sort of explains why I had /hd2/var/bin and /hd2/var/etc directories. TIA, Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message