From owner-freebsd-questions@FreeBSD.ORG Wed Feb 18 09:22:11 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9C20E2F6 for ; Wed, 18 Feb 2015 09:22:11 +0000 (UTC) Received: from formentor.toolfactory.net (pina.toolfactory.net [213.97.158.39]) by mx1.freebsd.org (Postfix) with ESMTP id 1CD16A3C for ; Wed, 18 Feb 2015 09:22:10 +0000 (UTC) Received: from localhost (localhost.localdomain [127.0.0.1]) by formentor.toolfactory.net (Postfix) with ESMTP id 9B131177687 for ; Wed, 18 Feb 2015 10:13:32 +0100 (CET) Received: from formentor.toolfactory.net ([127.0.0.1]) by localhost (formentor.toolfactory.net [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id bYtEWY9kNrQY for ; Wed, 18 Feb 2015 10:13:32 +0100 (CET) Received: from localhost (localhost.localdomain [127.0.0.1]) by formentor.toolfactory.net (Postfix) with ESMTP id 299D61776B1 for ; Wed, 18 Feb 2015 10:13:32 +0100 (CET) X-Virus-Scanned: amavisd-new at logpmzimmta01v.toolfactory.net Received: from formentor.toolfactory.net ([127.0.0.1]) by localhost (formentor.toolfactory.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id S7AY3q7v15Zw for ; Wed, 18 Feb 2015 10:13:32 +0100 (CET) Received: from xorrigo.toolfactory.net (unknown [192.168.2.210]) by formentor.toolfactory.net (Postfix) with ESMTP id 04AAD177687 for ; Wed, 18 Feb 2015 10:13:32 +0100 (CET) Date: Wed, 18 Feb 2015 10:13:45 +0100 (CET) From: Raimund Sacherer Reply-To: Raimund Sacherer To: freebsd-questions@freebsd.org Message-ID: <535737942.88794111.1424250825035.JavaMail.zimbra@logitravel.com> In-Reply-To: <1630133808.88787292.1424250372563.JavaMail.zimbra@logitravel.com> Subject: setuid diffs in daily security run output MIME-Version: 1.0 X-Originating-IP: [192.168.2.213] X-Mailer: Zimbra 8.0.8_GA_6184 (ZimbraWebClient - SAF7 (Mac)/8.0.8_GA_6184) Thread-Topic: setuid diffs in daily security run output Thread-Index: pznrgkaduHaociy+HvjpYmCxOhtLIA== Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Feb 2015 09:22:11 -0000 Hello, This is one of our first FreeBSD servers we use, and I be rather safe than sorry, we put in production a FreeBSD 10.0 system and it is running (in production) a couple of weeks now. Reading the security run emails today i noticed a lot of those: --- snip --- - 587 -r-sr-xr-x 1 root wheel 19912 Jan 16 22:40:07 2014 /bin/rcp - 511 -r-sr-x--- 1 root operator 9880 Jan 16 22:40:33 2014 /sbin/mksnap_ffs - 471 -r-sr-xr-x 1 root wheel 28024 Jan 16 22:40:34 2014 /sbin/ping - 546 -r-sr-xr-x 1 root wheel 36496 Jan 16 22:40:34 2014 /sbin/ping6 - 528 -r-sr-x--- 2 root operator 15656 Jan 16 22:40:34 2014 /sbin/poweroff - 528 -r-sr-x--- 2 root operator 15656 Jan 16 22:40:34 2014 /sbin/shutdown - 672 -r-sr-xr-x 4 root wheel 28528 Jan 16 22:41:00 2014 /usr/bin/at - 672 -r-sr-xr-x 4 root wheel 28528 Jan 16 22:41:00 2014 /usr/bin/atq --- snip --- I did not see those messages before, but I do read normally those mails. So I checked with stat: File: "/bin/rcp" Size: 19912 FileType: Regular File Mode: (4555/-r-sr-xr-x) Uid: ( 0/ root) Gid: ( 0/ wheel) Device: 71,202637507 Inode: 587 Links: 1 Access: Thu Jan 16 23:40:07 2014 Modify: Thu Jan 16 23:40:07 2014 Change: Fri Aug 1 18:15:30 2014 But there are no strange modifications recently ... How come those messages are today in the security output? Are those permissions correct? Should I be worried about an intruder? Best Ray