Date: Tue, 24 Jul 2001 13:47:58 -0400 (EDT) From: Rob Simmons <rsimmons@wlcg.com> To: Jon Loeliger <jdl@jdl.com> Cc: <security@FreeBSD.ORG> Subject: Re: Security Check Diffs Question Message-ID: <20010724134421.I44940-100000@mail.wlcg.com> In-Reply-To: <200107241632.LAA05639@chrome.jdl.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 If you have access to the same binaries on another machine, run ident against both. If there are _no_ RCS keyword strings in the questionable binaries, there is definitely a problem. Robert Simmons Systems Administrator http://www.wlcg.com/ On Tue, 24 Jul 2001, Jon Loeliger wrote: > Hi Folks, > > This morning, on a machine that's been up for 33 days, > I suddenly saw these /etc/security diffs: > > <host> setuid diffs: > 20,22c20,22 > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chfn > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chpass > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chsh > --- > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chfn > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chpass > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chsh > 53,55c53,55 > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchfn > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchpass > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchsh > --- > > 8270 -r-sr-xr-x 1 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchfn > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchpass > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchsh > > > So, how paranoid am I here? How concerned am I? > What compromised of my system just took place? > Couple things to notice: > > - The files now take fewer 512K blocks, > but their sizes are the same? > > - Most of the inodes staid the same. Exact same. > Are these hard linked files? Should be, right? > > - The inode for ypchfn changed! > It's no longer hard linked, right? > > No form of disk restructuring, fsck, defrag, etc, was initiated by me. > > Note that: > > www 181 # cmp /usr/bin/{ypchpass,ypchfn} > /usr/bin/ypchpass /usr/bin/ypchfn differ: char 25, line 1 > > Here is a `strings /usr/bin/ypchfn`: > > www 182 # strings /usr/bin/ypchfn > /usr/libexec/ld-elf.so.1 > FreeBSD > libcrypt.so.2 > _DYNAMIC > _init > __deregister_frame_info > crypt > strcmp > _fini > _GLOBAL_OFFSET_TABLE_ > __register_frame_info > libc.so.4 > strerror > execl > environ > fprintf > __progname > __error > setgid > __sF > execv > getpwuid > getpwnam > atexit > exit > strchr > execvp > setuid > _etext > _edata > __bss_start > _end > 8/u > QR2cc.wsLFbKU > root > > If someone didn't hack my system, I took a disk hit and lost > part of that file, right? > > What other log files am I disecting or where else am I poking > for further evidence? > > Am I blowing away the bogus(?) /usr/bin/ypchfn and re-making > it a hard link to the others again? > > jdl > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7XbTTv8Bofna59hYRA/qmAJ94c+qf42IHuHEzpc9XTomFyoE02ACgpD2V 0paUeTayTHx4/WC6YDwkWxQ= =yz9c -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010724134421.I44940-100000>