From owner-freebsd-security Thu Jun 27 07:39:35 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id HAA01532 for security-outgoing; Thu, 27 Jun 1996 07:39:35 -0700 (PDT) Received: from maki.wwa.com (maki.wwa.com [198.49.174.21]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id HAA01523 for ; Thu, 27 Jun 1996 07:39:31 -0700 (PDT) Received: from wendigo.trans.sni-usa.com by maki.wwa.com with smtp (Smail3.1.29.1 #1) id m0uZIE4-000rLjC; Thu, 27 Jun 96 09:39 CDT Received: from vogon.trans.sni-usa.com (vogon [136.157.83.215]) by wendigo.trans.sni-usa.com (8.7.5/8.6.12) with ESMTP id JAA21545; Thu, 27 Jun 1996 09:34:23 -0500 (CDT) Received: from shyam.trans.sni-usa.com (shyam.trans.sni-usa.com [136.157.82.43]) by vogon.trans.sni-usa.com (8.6.12/8.6.12) with SMTP id JAA10329; Thu, 27 Jun 1996 09:47:05 -0500 From: hal@snitt.com (Hal Snyder) To: Troy Arie Cobb Cc: security@freebsd.org Subject: Re: Odd permission changes Date: Thu, 27 Jun 1996 14:39:34 GMT Organization: Siemens Nixdorf Transportation Technologies Message-ID: <31d29c6e.3939041@vogon.trans.sni-usa.com> References: In-Reply-To: X-Mailer: Forte Agent .99e/32.227 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Wed, 26 Jun 1996 18:27:58 -0400 (EDT), you wrote: > I have a strange thing that's been happening regularly now, > following an incident w/ a cracker-type (who is now long > gone). Now, on Fridays, around 2am, all of the owner-execute > permissions on all files is removed. This has happened two > weeks in a row now, I have accounting active and saw the > chmod, but no one was logged in, and the daily/weekly scripts > don't have any chmods in them. If searches of cron and at tables don't help, I'd hack the kernel to track chmod calls to syslog, including timestamp, real userid, and program name.