From owner-freebsd-security  Fri Nov  6 08:23:04 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id IAA19160
          for freebsd-security-outgoing; Fri, 6 Nov 1998 08:23:04 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA19153
          for <freebsd-security@FreeBSD.ORG>; Fri, 6 Nov 1998 08:22:59 -0800 (PST)
          (envelope-from brett@lariat.org)
Received: (from brett@localhost)
	by lariat.lariat.org (8.8.8/8.8.6) id JAA09910;
	Fri, 6 Nov 1998 09:21:11 -0700 (MST)
Message-Id: <4.1.19981106091836.04eb61b0@127.0.0.1>
X-Sender: brett@127.0.0.1
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 
Date: Fri, 06 Nov 1998 09:21:03 -0700
To: tarkhil@synchroline.ru, mwlucas@exceptionet.com
From: Brett Glass <brett@lariat.org>
Subject: Re: *huge* setuid diffs 
Cc: freebsd-security@FreeBSD.ORG
In-Reply-To: <199811061419.RAA01848@enterprise.sl.ru>
References: <Your message "Fri, 06 Nov 1998 07:58:31 EST."             <199811061258.HAA22049@easeway.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

This might be a breakin, but it also might be due to the VM
bug that changes file mod dates. (We went to red alert
over that one before we found out about it.)

This bug shouldn't be allowed to persist, as it causes problems
with tripwire, etc.

--Brett

At 05:19 PM 11/6/98 +0300, Alexander B. Povolotsky wrote:
 
> <199811061258.HAA22049@easeway.com>mwlucas@exceptionet.com writes:
>>I just got /etc/security mail from two 2.2.6 servers I administer.  The
>>setuid diffs list every setuid program on the server as having been removed
>>and replaced.
>>
>>We haven't done a make world.  We haven't touched much of anything.
>>
>>Is this normal, or should I be worried? 
>*IMMEDIATLY* shut down both server and do not bring them to Internet until 
>you'll found the reason.
>
>It is *QUITE* abnormal. I would not call it "exploit", but it is something to 
>understand at once.
>
>
>Alex.
>
>-- 
>Alexander B. Povolotsky, System Administrator
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message