Date: Sat, 4 May 1996 12:07:21 -0700 (PDT) From: Brian Wang <brian@mail.vividnet.com> To: freebsd-security@freebsd.org Subject: Weird system security output Message-ID: <Pine.BSF.3.91.960504115115.9617A-100000@taurus.vividnet.com>
next in thread | raw e-mail | index | archive | help
After searching the mail archives, I found the following posted question without replies. I'd love some replies though. > Subject: unaccounted-for mtime and ctime changes on SUID root programs > To: questions@FreeBSD.org (FreeBSD questions) > Date: Thu, 1 Feb 1996 10:36:26 -0600 (CST) > X-Mailer: ELM [version 2.4 PL25] > MIME-Version: 1.0 > Content-Type: text/plain; charset=US-ASCII > Content-Transfer-Encoding: 7bit > Sender: owner-questions@FreeBSD.org > Precedence: bulk > > A few times with FreeBSD 2.0.5 and now twice with FreeBSD 2.1(CD), > the nightly security check has revealed SUID root programs whose > modification times have changed. I have immediately put in the > backup tapes, pulled down the original files, and compared them. > Every time, they have been identical (which is something of a relief > to know that worms or trojan horses are not being left around), but > I have to wonder how this is happening, and whether it may be an > indication of something sinister but more subtle going on (like someone > changing the programs, doing their mischief, and then changing them > back). Just last night, I'm having the same problem described above again (It occured couple of times before). Somehow, the date stamp gets altered for no reason...a compromised system? Again, checking the binary file from the backup/cdrom yielded nothing. The following is a nightly security check output from one of our server. Is there a rational explanation for this? Thanks in advance for any help/answer! Date: Sat, 4 May 1996 02:00:03 -0700 (PDT) From: System Administrator <root@mail.vividnet.com> Subject: aquarius security check output checking setuid files and devices: aquarius setuid/device diffs: 1c1 < -r-xr-sr-x 1 bin operator 65536 Nov 16 01:43:41 1995 /bin/df --- > -r-xr-sr-x 1 bin operator 65536 May 3 02:22:47 1996 /bin/df Sincerely, Brian Wang
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960504115115.9617A-100000>