From owner-freebsd-security Wed Aug 5 15:18:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA03984 for freebsd-security-outgoing; Wed, 5 Aug 1998 15:18:18 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA03979 for ; Wed, 5 Aug 1998 15:18:14 -0700 (PDT) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.1/frmug-2.3/nospam) with UUCP id AAA20451 for security@FreeBSD.ORG; Thu, 6 Aug 1998 00:17:54 +0200 (CEST) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (VMailer, from userid 101) id 9D36C1514; Wed, 5 Aug 1998 23:47:00 +0200 (CEST) Message-ID: <19980805234700.A23220@keltia.freenix.fr> Date: Wed, 5 Aug 1998 23:47:00 +0200 From: Ollivier Robert To: security@FreeBSD.ORG Subject: Re: Does this mean we have another breakin? Mail-Followup-To: security@FreeBSD.ORG References: <199808051643.KAA04281@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93i In-Reply-To: <199808051643.KAA04281@lariat.lariat.org>; from Brett Glass on Wed, Aug 05, 1998 at 10:27:30AM -0600 X-Operating-System: FreeBSD 3.0-CURRENT ctm#4527 AMD-K6 MMX @ 200 MHz Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Brett Glass: > setuid diffs: > 9c9 > < -r-xr-sr-x 2 root tty 225280 Jul 22 02:13:13 1998 /sbin/restore > --- > > -r-xr-sr-x 2 root tty 225280 Aug 4 15:00:14 1998 /sbin/restore Verify, if you have them, the MD5 checksums. If they don't have changed, you've been hit by a VM bug where mod. time is changed even if the executable has only been loaded. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #62: Mon Jul 27 20:47:08 CEST 1998 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message