From owner-freebsd-security Wed Aug 5 18:32:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA01844 for freebsd-security-outgoing; Wed, 5 Aug 1998 18:32:18 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id SAA01825 for ; Wed, 5 Aug 1998 18:32:07 -0700 (PDT) (envelope-from imp@village.org) Received: from harmony [10.0.0.6] by rover.village.org with esmtp (Exim 1.71 #1) id 0z4EuH-00002r-00; Wed, 5 Aug 1998 19:31:53 -0600 Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.8.8/8.8.3) with ESMTP id TAA09251; Wed, 5 Aug 1998 19:32:05 -0600 (MDT) Message-Id: <199808060132.TAA09251@harmony.village.org> To: Brett Glass Subject: Re: Does this mean we have another breakin? Cc: security@FreeBSD.ORG In-reply-to: Your message of "Wed, 05 Aug 1998 10:27:30 MDT." <199808051643.KAA04281@lariat.lariat.org> References: <199808051643.KAA04281@lariat.lariat.org> Date: Wed, 05 Aug 1998 19:32:05 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199808051643.KAA04281@lariat.lariat.org> Brett Glass writes: : < -r-xr-sr-x 2 root tty 225280 Jul 22 02:13:13 1998 /sbin/restore : --- : > -r-xr-sr-x 2 root tty 225280 Aug 4 15:00:14 1998 /sbin/restore : Does this mean we have intruders? I think I might have *run* restore at : that time as root, but didn't think it was self-modifying. Sicne the sizes are the same, this is a well known bug in the changing of the modification time spontaneously. The security program should keep a md5 database of files instead. The Spontaneous Crash should be looked into, but it does sound much like the David Rivers Memorial Crash[tm] which is both well known and hard to fix. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message