Date: Fri, 6 Nov 1998 21:10:52 -0500 (EST) From: mwlucas@exceptionet.com To: brett@lariat.org (Brett Glass), freebsd-security@FreeBSD.ORG Subject: Re: *huge* setuid diffs Message-ID: <199811070210.VAA00825@easeway.com> In-Reply-To: <4.1.19981106091836.04eb61b0@127.0.0.1> from Brett Glass at "Nov 6, 98 09:21:03 am"
next in thread | previous in thread | raw e-mail | index | archive | help
> This might be a breakin, but it also might be due to the VM > bug that changes file mod dates. (We went to red alert > over that one before we found out about it.) Upon careful checking, it seems that someone (a known someone, not an intruder) reset the clock and timezone on these machines. The diff is in the timestamp, i.e.: server~;grep df suidmessage < -r-xr-sr-x 1 bin operator 53248 Mar 25 01:51:04 1998 /bin/df > -r-xr-sr-x 1 bin operator 53248 Mar 24 20:51:04 1998 /bin/df This matches symptoms in the mail archives (now that I'm searching for "vm bug" and not "setuid diffs" :) My apologies for dumping this to the list right away: one of the servers in question handles credit card numbers, and the last thing I needed was a hack. Big thanks to everyone who responded! ==ml -- Michael Lucas | Exceptionet, Inc. | www.exceptionet.com "Exceptional Networking" | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199811070210.VAA00825>