Date: Wed, 05 Aug 1998 19:32:05 -0600 From: Warner Losh <imp@village.org> To: Brett Glass <brett@lariat.org> Cc: security@FreeBSD.ORG Subject: Re: Does this mean we have another breakin? Message-ID: <199808060132.TAA09251@harmony.village.org> In-Reply-To: Your message of "Wed, 05 Aug 1998 10:27:30 MDT." <199808051643.KAA04281@lariat.lariat.org> References: <199808051643.KAA04281@lariat.lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <199808051643.KAA04281@lariat.lariat.org> Brett Glass writes: : < -r-xr-sr-x 2 root tty 225280 Jul 22 02:13:13 1998 /sbin/restore : --- : > -r-xr-sr-x 2 root tty 225280 Aug 4 15:00:14 1998 /sbin/restore : Does this mean we have intruders? I think I might have *run* restore at : that time as root, but didn't think it was self-modifying. Sicne the sizes are the same, this is a well known bug in the changing of the modification time spontaneously. The security program should keep a md5 database of files instead. The Spontaneous Crash should be looked into, but it does sound much like the David Rivers Memorial Crash[tm] which is both well known and hard to fix. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199808060132.TAA09251>