From owner-freebsd-questions@FreeBSD.ORG Mon Aug 28 15:11:43 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4363816A50D for ; Mon, 28 Aug 2006 15:11:43 +0000 (UTC) (envelope-from david.robillard@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.184]) by mx1.FreeBSD.org (Postfix) with ESMTP id 56E9343D6E for ; Mon, 28 Aug 2006 15:11:38 +0000 (GMT) (envelope-from david.robillard@gmail.com) Received: by nf-out-0910.google.com with SMTP id n29so1402808nfc for ; Mon, 28 Aug 2006 08:11:37 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:mime-version:content-type:content-transfer-encoding:content-disposition; b=eoUUzAbKPNqzmIkD+ck1sbpU01CsYRuqGqCSqRNNCEiF0r5X+aE6D0F2fbl1LoO7Lx9yHuENdO9Dw2nLTzaScZ9CEfLv+pEuiRTUJFqeZUkaPgOxT4Z2xV6InxstgZbgPQAEihbCCnL+Px8UmPgC0/G+shCwxPxvhuXLwNZkXyA= Received: by 10.67.117.18 with SMTP id u18mr3792914ugm; Mon, 28 Aug 2006 08:11:37 -0700 (PDT) Received: by 10.67.106.17 with HTTP; Mon, 28 Aug 2006 08:11:37 -0700 (PDT) Message-ID: <226ae0c60608280811t75213772j2d84cfc8a30c148f@mail.gmail.com> Date: Mon, 28 Aug 2006 11:11:37 -0400 From: "David Robillard" To: "dick hoogendijk" MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Cc: FreeBSD Questions Mailing List Subject: Re: Fw: lothlorien.nagual.nl security run output X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Aug 2006 15:11:43 -0000 > I'm a little worried after reading the security output this morning. > It seems some files [ping, ping6, shutdown, at, atq and atrm] have > setuid diffs. I really don't know why this could have happened. > I updated some ports yesterday, but I don't think any port writes > in /sbin (?) > > Could someboddy advice me on what can have happened? What ports have you updated? You can check if any of them has installed new files in /sbin by running `pkg_info -L your_updated_port-version`. See the -L option of pkg_info(1) in the man page http://www.freebsd.org/cgi/man.cgi?query=pkg_info&apropos=0&sektion=0&manpath=FreeBSD+6.1-RELEASE&format=html You can also consider installing a Host Based Integrity Monitoring software. I use Osiris which is quite simple to setup and administer. It's already in the ports as security/osiris which you can get there: http://www.freebsd.org/cgi/url.cgi?ports/security/osiris/pkg-descr. Of course, don't install osiris on a machine which you're not sure if it has been tampered with, it would defeat the purpose... You can also take a look at other integrity checking software such as Samhain, Tripwire or aide. Regards, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122