Date: Wed, 05 Aug 1998 10:27:30 -0600 From: Brett Glass <brett@lariat.org> To: security@FreeBSD.ORG Subject: Does this mean we have another breakin? Message-ID: <199808051643.KAA04281@lariat.lariat.org>
next in thread | raw e-mail | index | archive | help
Found this in the security output this morning, after ANOTHER spontaneous crash. setuid diffs: 9c9 < -r-xr-sr-x 2 root tty 225280 Jul 22 02:13:13 1998 /sbin/restore --- > -r-xr-sr-x 2 root tty 225280 Aug 4 15:00:14 1998 /sbin/restore 11c11 < -r-xr-sr-x 2 root tty 225280 Jul 22 02:13:13 1998 /sbin/rrestore --- > -r-xr-sr-x 2 root tty 225280 Aug 4 15:00:14 1998 /sbin/rrestore Does this mean we have intruders? I think I might have *run* restore at that time as root, but didn't think it was self-modifying. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199808051643.KAA04281>