From owner-freebsd-security  Fri Nov  6 09:10:54 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id JAA27770
          for freebsd-security-outgoing; Fri, 6 Nov 1998 09:10:54 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from smtp.www.net (smtp.www.net [142.77.1.13])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA27753
          for <freebsd-security@FreeBSD.ORG>; Fri, 6 Nov 1998 09:10:46 -0800 (PST)
          (envelope-from erics@now.com)
Received: from seraph.uunet.ca (uunet.ca [142.77.1.254]) by smtp.www.net with ESMTP id <114-1940>; Fri, 6 Nov 1998 12:10:25 -0500
Received: from now by seraph.uunet.ca with UUCP id <185028-11329>; Fri, 6 Nov 1998 12:10:13 -0500
Received: from baal.now.com (really [205.150.6.3]) by vishnu.now.com
	via rsmtp (Smail-3.2 1996-Jul-4 #2 built 1997-Apr-17) with bsmtp
	id <m0zbpDi-0005zxC@vishnu.now.com>
	for <freebsd-security@FreeBSD.ORG>;
	Fri, 6 Nov 1998 11:58:46 -0500 (EST)
Received: by baal.now.com (Smail3.1.29.1 #12)
	id m0zbp8t-00000zC; Fri, 6 Nov 98 11:53 EST
Message-Id: <m0zbp8t-00000zC@baal.now.com>
From: erics@now.com (Eric Siegerman)
Subject: Re: *huge* setuid diffs
To: tarkhil@synchroline.ru
Date: Fri, 6 Nov 1998 11:53:47 -0500
Cc: mwlucas@exceptionet.com, freebsd-security@FreeBSD.ORG
In-Reply-To: <199811061419.RAA01848@enterprise.sl.ru> from "Alexander B. Povolotsky" at Nov 6, 98 09:19:13 am
X-Mailer: ELM [version 2.4 PL25]
Content-Type: text/plain; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Alexander B. Povolotsky wrote:
>
> <199811061258.HAA22049@easeway.com>mwlucas@exceptionet.com writes:
> >I just got /etc/security mail from two 2.2.6 servers I administer.  The
> >setuid diffs list every setuid program on the server as having been removed
> >and replaced.

One possibility is that *one* file's size changed by enough to
add or subtract a digit, which caused the two "ls -l" outputs to
have different spacing.  A simple "diff" would report all the
lines as having changed.

At some point, /etc/security got smart enough to ignore such
spurious differences.  But I can't recall whether this had
happened by 2.2.6.

> It is *QUITE* abnormal. I would not call it "exploit", but it is something to 
> understand at once.

It may or may not be abnormal, and it's more or less likely to be
an intrusion -- both depending on your OS version; see above.  But
it's absolutely "something to understand at once"!

--

|  | /\
|-_|/  >   Eric Siegerman, Toronto, Ont.        erics@now.com
|  |  /
The Rock & Roll Baby Theorem:
  Syllables(x+"baby") = Syllables("baby"+x) = Syllables(x) + 2
  SemanticContent(x+"baby") = SemanticContent("baby"+x) = SemanticContent(x)
	- Anonymous

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message