Date: Thu, 10 Aug 1995 11:45:31 -0500 (CDT) From: Mike Pritchard <mpp@mpp.minn.net> To: jc@irbs.com (John Capo) Cc: freebsd-hackers@freebsd.org Subject: Re: daily insecurity output (fwd) Message-ID: <199508101645.LAA00583@mpp.minn.net> In-Reply-To: <199508101225.IAA06725@irbs.irbs.com> from "John Capo" at Aug 10, 95 08:25:52 am
next in thread | previous in thread | raw e-mail | index | archive | help
John Capo wrote: > Mike Pritchard writes: > > > > I received the following from the security section of my /etc/daily > > report, and I'm not totally sure what to make of it. My last > > make world/install was on Jul 13, but I know I did not re-install > > a new /bin/ps today. However, I did reboot my machine at 18:23 > > at that time to clear up a problem that was causing all of the virtual > > consoles to be unusable. > > > > > checking setuid files and devices: > > > mpp setuid/device diffs: > > > 2c2 > > > < -r-xr-sr-x 1 bin kmem 151552 Jul 13 18:04:08 1995 /bin/ps > > > --- > > > > -r-xr-sr-x 1 bin kmem 151552 Aug 9 18:23:38 1995 /bin/ps > > > > I think I also located another binary with an odd timestamp, > > but I'll have to look into that some more. > > > > Probably the most important fact in all this is that the reboot > > I did at 18:23 was to boot a -current kernel. Before that > > I was running a kernel that was about 2 - 2.5 weeks behind > > -current. > > > > Does anyone have any ideas about this? > > > > (I'm doing a full security audit as I type this to see if I might > > have had a real breakin) > > The date on /bin/df changed on me last week. I didn't look at the > security mail till several days later. The new date corresponded > with a full backup of two systems in preperation for Erin, which > never got here. > > I supped new sources for df, built it, and it compared OK with > /bin/df. There was no evidence of an intruder. An intruder that > is good enough to get root and mess with /bin would also be able > to mung the dates back to match the old binary. > > Something's fishy. I agree. I determined that there is no evidence of an intruder. I did find a few odd things. The following files all had mtime/ctime times that they should not have: /bin/ps 08/09/1995 18:23 /usr/share/games/fortune/fortune.dat 08/09/1995 17:18:45 /usr/local/bin/elm 08/10/1995 03:13:11 /usr/sbin/named 08/10/1995 03:13:11 /sbin/init 08/10/1995 03:13:11 I was able to regenerate all of the binaries from source and verify that they matched what was installed, and that the sources were also good, so it looks like the only thing that changed was the time stamps on the files. Since the only new thing on my machine in the last 24 hours was a new -current kernel that I booted at 08/09 18:23 (which matches the time on /bin/ps above, which is odd), I decided to drop back to an older "good" kernel. During the reboot the fsck of /usr failed with: BAD SUPER BLOCK: NCG OUT OF RANGE The first alternate super block was good, and after allowing fsck to continue with it, the file system came up clean. The only thing that should have been running at 03:13 was my daily sup (I sup the whole source/posts tree every night at 03:00). I re-ran a sup with my older kernel and no time stamps changed. So with all that said, I'm suspicious of the -current kernel I was running from 8/9 18:23 till just about an hour ago. -- Mike Pritchard mpp@mpp.minn.net "Go that way. Really fast. If something gets in your way, turn"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199508101645.LAA00583>