From owner-freebsd-security Fri Nov 6 06:18:21 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA03774 for freebsd-security-outgoing; Fri, 6 Nov 1998 06:18:21 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from enterprise.sl.ru (enterprise.sl.ru [195.16.101.4] (may be forged)) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA03766 for ; Fri, 6 Nov 1998 06:18:17 -0800 (PST) (envelope-from tarkhil@synchroline.ru) Received: from enterprise.sl.ru (tarkhil@localhost.synchroline.ru [127.0.0.1]) by enterprise.sl.ru (8.9.1a/8.8.8) with ESMTP id RAA01848; Fri, 6 Nov 1998 17:19:14 +0300 (MSK) (envelope-from tarkhil@enterprise.sl.ru) Message-Id: <199811061419.RAA01848@enterprise.sl.ru> X-Mailer: exmh version 2.0.2 2/24/98 To: mwlucas@exceptionet.com cc: freebsd-security@FreeBSD.ORG Subject: Re: *huge* setuid diffs In-reply-to: Your message "Fri, 06 Nov 1998 07:58:31 EST." <199811061258.HAA22049@easeway.com> Reply-To: tarkhil@synchroline.ru X-URL: http://freebsd.svib.ru Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 06 Nov 1998 17:19:13 +0300 From: "Alexander B. Povolotsky" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org <199811061258.HAA22049@easeway.com>mwlucas@exceptionet.com writes: >I just got /etc/security mail from two 2.2.6 servers I administer. The >setuid diffs list every setuid program on the server as having been removed >and replaced. > >We haven't done a make world. We haven't touched much of anything. > >Is this normal, or should I be worried? *IMMEDIATLY* shut down both server and do not bring them to Internet until you'll found the reason. It is *QUITE* abnormal. I would not call it "exploit", but it is something to understand at once. Alex. -- Alexander B. Povolotsky, System Administrator To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message