From owner-freebsd-security Wed Jun 26 16:26:30 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA02492 for security-outgoing; Wed, 26 Jun 1996 16:26:30 -0700 (PDT) Received: from dworshak.cs.uidaho.edu (dworshak.cs.uidaho.edu [129.101.100.160]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA02481 for ; Wed, 26 Jun 1996 16:26:28 -0700 (PDT) Received: from waldrog.cs.uidaho.edu (waldrog.cs.uidaho.edu [129.101.100.23]) by dworshak.cs.uidaho.edu (8.7.5/1.1) with ESMTP id QAA11247; Wed, 26 Jun 1996 16:28:01 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by waldrog.cs.uidaho.edu (8.7.5/1.0) with SMTP id QAA21948; Wed, 26 Jun 1996 16:26:24 -0700 (PDT) X-Authentication-Warning: waldrog.cs.uidaho.edu: Host localhost [127.0.0.1] didn't use HELO protocol To: Troy Arie Cobb cc: security@freebsd.org Subject: Re: Odd permission changes In-reply-to: Your message of "Wed, 26 Jun 1996 18:27:58 PDT." Date: Wed, 26 Jun 1996 16:26:23 PDT Message-ID: <21946.835831583@waldrog.cs.uidaho.edu> From: faried nawaz Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Troy Arie Cobb wrote... I have a strange thing that's been happening regularly now, following an incident w/ a cracker-type (who is now long gone). Now, on Fridays, around 2am, all of the owner-execute permissions on all files is removed. This has happened two weeks in a row now, I have accounting active and saw the chmod, but no one was logged in, and the daily/weekly scripts don't have any chmods in them. What about binaries, like `cron' or `at' or `chmod'? Have they been tampered with? Do you run any unusual daemons? Any incorrect crontab/at jobs? What happens when you do `chmod 000 /bin/chmod' (note: be sure to have a copy of chmod from another machine w/ permissions to fix /bin/chmod before you try this!) ? I need to buy a clue, any help? If you find out, please let me/us know. I've never seen that before.