From owner-freebsd-security  Fri Nov  6 18:26:23 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id SAA10315
          for freebsd-security-outgoing; Fri, 6 Nov 1998 18:26:23 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from easeway.com (ns1.easeway.com [209.69.71.100])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA10299
          for <freebsd-security@freebsd.org>; Fri, 6 Nov 1998 18:26:19 -0800 (PST)
          (envelope-from mwlucas@easeway.com)
Received: (from mwlucas@localhost)
	by easeway.com (8.8.8/8.8.5) id VAA00825;
	Fri, 6 Nov 1998 21:10:52 -0500 (EST)
Message-Id: <199811070210.VAA00825@easeway.com>
Subject: Re: *huge* setuid diffs
In-Reply-To: <4.1.19981106091836.04eb61b0@127.0.0.1> from Brett Glass at "Nov 6, 98 09:21:03 am"
To: brett@lariat.org (Brett Glass), freebsd-security@FreeBSD.ORG
Date: Fri, 6 Nov 1998 21:10:52 -0500 (EST)
From: mwlucas@exceptionet.com
X-Mailer: ELM [version 2.4ME+ PL32 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> This might be a breakin, but it also might be due to the VM
> bug that changes file mod dates. (We went to red alert
> over that one before we found out about it.)

Upon careful checking, it seems that someone (a known someone, not an
intruder) reset the clock and timezone on these machines.

The diff is in the timestamp, i.e.:

server~;grep df suidmessage
< -r-xr-sr-x  1 bin   operator   53248 Mar 25 01:51:04 1998 /bin/df
> -r-xr-sr-x  1 bin   operator   53248 Mar 24 20:51:04 1998 /bin/df

This matches symptoms in the mail archives (now that I'm searching for "vm
bug" and not "setuid diffs" :)

My apologies for dumping this to the list right away: one of the servers in
question handles credit card numbers, and the last thing I needed was a
hack. 

Big thanks to everyone who responded!

==ml

-- 
Michael Lucas			|
Exceptionet, Inc.		|	www.exceptionet.com
"Exceptional Networking"	|

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message