From owner-freebsd-hackers  Thu Aug 10 05:26:20 1995
Return-Path: hackers-owner
Received: (from majordom@localhost)
          by freefall.FreeBSD.org (8.6.11/8.6.6) id FAA01779
          for hackers-outgoing; Thu, 10 Aug 1995 05:26:20 -0700
Received: from irbs.irbs.com (irbs.com [199.182.75.129])
          by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id FAA01773
          for <freebsd-hackers@freebsd.org>; Thu, 10 Aug 1995 05:26:07 -0700
Received: (from jc@localhost) by irbs.irbs.com (8.6.11/8.6.6) id IAA06725; Thu, 10 Aug 1995 08:25:54 -0400
From: John Capo <jc@irbs.com>
Message-Id: <199508101225.IAA06725@irbs.irbs.com>
Subject: Re: daily insecurity output (fwd)
To: mpp@mpp.minn.net (Mike Pritchard)
Date: Thu, 10 Aug 1995 08:25:52 -0400 (EDT)
Cc: freebsd-hackers@freebsd.org
In-Reply-To: <199508100907.EAA02358@mpp.minn.net> from "Mike Pritchard" at Aug 10, 95 04:07:35 am
X-Mailer: ELM [version 2.4 PL24]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Length: 1599      
Sender: hackers-owner@freebsd.org
Precedence: bulk

Mike Pritchard writes:
> 
> I received the following from the security section of my /etc/daily
> report, and I'm not totally sure what to make of it.  My last 
> make world/install was on Jul 13, but I know I did not re-install
> a new /bin/ps today.  However, I did reboot my machine at 18:23 
> at that time to clear up a problem that was causing all of the virtual 
> consoles to be unusable.
> 
> > checking setuid files and devices:
> > mpp setuid/device diffs:
> > 2c2
> > < -r-xr-sr-x  1 bin    kmem       151552 Jul 13 18:04:08 1995 /bin/ps
> > ---
> > > -r-xr-sr-x  1 bin    kmem       151552 Aug  9 18:23:38 1995 /bin/ps
> 
> I think I also located another binary with an odd timestamp,
> but I'll have to look into that some more.  
> 
> Probably the most important fact in all this is that the reboot
> I did at 18:23 was to boot a -current kernel.  Before that
> I was running a kernel that was about 2 - 2.5 weeks behind 
> -current.
> 
> Does anyone have any ideas about this?
> 
> (I'm doing a full security audit as I type this to see if I might
> have had a real breakin)

The date on /bin/df changed on me last week.  I didn't look at the
security mail till several days later.  The new date corresponded
with a full backup of two systems in preperation for Erin, which
never got here.

I supped new sources for df, built it, and it compared OK with
/bin/df.  There was no evidence of an intruder.  An intruder that
is good enough to get root and mess with /bin would also be able
to mung the dates back to match the old binary.

Something's fishy.

John Capo
IRBS Engineering