Security Check Diffs Question
From: Jon Loeliger (jdl@jdl.com)
Date: 07/24/01
- Next message: Gregory Neil Shapiro: "Re: Security Check Diffs Question"
- Previous message: Mario de Oliveira Lobo Neto: "Re: ipfw question"
- Next in thread: Gregory Neil Shapiro: "Re: Security Check Diffs Question"
- Reply: Gregory Neil Shapiro: "Re: Security Check Diffs Question"
- Reply: Garance A Drosihn: "Re: Security Check Diffs Question"
- Reply: Peter Pentchev: "Re: Security Check Diffs Question"
- Reply: Pierre-Luc Lespérance: "Re: Security Check Diffs Question"
- Reply: Rob Simmons: "Re: Security Check Diffs Question"
- Reply: Rob Simmons: "Re: Security Check Diffs Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: security@freebsd.org Date: Tue, 24 Jul 2001 11:32:23 -0500 From: Jon Loeliger <jdl@jdl.com>
Hi Folks,
This morning, on a machine that's been up for 33 days,
I suddenly saw these /etc/security diffs:
<host> setuid diffs:
20,22c20,22
< 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chfn
< 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chpass
< 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chsh
---
> 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chfn
> 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chpass
> 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chsh
53,55c53,55
< 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchfn
< 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchpass
< 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchsh
---
> 8270 -r-sr-xr-x 1 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchfn
> 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchpass
> 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchsh
So, how paranoid am I here? How concerned am I?
What compromised of my system just took place?
Couple things to notice:
- The files now take fewer 512K blocks,
but their sizes are the same?
- Most of the inodes staid the same. Exact same.
Are these hard linked files? Should be, right?
- The inode for ypchfn changed!
It's no longer hard linked, right?
No form of disk restructuring, fsck, defrag, etc, was initiated by me.
Note that:
www 181 # cmp /usr/bin/{ypchpass,ypchfn}
/usr/bin/ypchpass /usr/bin/ypchfn differ: char 25, line 1
Here is a `strings /usr/bin/ypchfn`:
www 182 # strings /usr/bin/ypchfn
/usr/libexec/ld-elf.so.1
FreeBSD
libcrypt.so.2
_DYNAMIC
_init
__deregister_frame_info
crypt
strcmp
_fini
_GLOBAL_OFFSET_TABLE_
__register_frame_info
libc.so.4
strerror
execl
environ
fprintf
__progname
__error
setgid
__sF
execv
getpwuid
getpwnam
atexit
exit
strchr
execvp
setuid
_etext
_edata
__bss_start
_end
8/u
QR2cc.wsLFbKU
root
If someone didn't hack my system, I took a disk hit and lost
part of that file, right?
What other log files am I disecting or where else am I poking
for further evidence?
Am I blowing away the bogus(?) /usr/bin/ypchfn and re-making
it a hard link to the others again?
jdl
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Gregory Neil Shapiro: "Re: Security Check Diffs Question"
- Previous message: Mario de Oliveira Lobo Neto: "Re: ipfw question"
- Next in thread: Gregory Neil Shapiro: "Re: Security Check Diffs Question"
- Reply: Gregory Neil Shapiro: "Re: Security Check Diffs Question"
- Reply: Garance A Drosihn: "Re: Security Check Diffs Question"
- Reply: Peter Pentchev: "Re: Security Check Diffs Question"
- Reply: Pierre-Luc Lespérance: "Re: Security Check Diffs Question"
- Reply: Rob Simmons: "Re: Security Check Diffs Question"
- Reply: Rob Simmons: "Re: Security Check Diffs Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
