Re: Security Check Diffs Question

From: Rob Simmons (rsimmons@wlcg.com)
Date: 07/24/01


Date: Tue, 24 Jul 2001 13:47:58 -0400 (EDT)
From: Rob Simmons <rsimmons@wlcg.com>
To: Jon Loeliger <jdl@jdl.com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

If you have access to the same binaries on another machine, run ident
against both. If there are _no_ RCS keyword strings in the questionable
binaries, there is definitely a problem.

Robert Simmons
Systems Administrator
http://www.wlcg.com/

On Tue, 24 Jul 2001, Jon Loeliger wrote:

> Hi Folks,
>
> This morning, on a machine that's been up for 33 days,
> I suddenly saw these /etc/security diffs:
>
> <host> setuid diffs:
> 20,22c20,22
> < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chfn
> < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chpass
> < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chsh
> ---
> > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chfn
> > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chpass
> > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chsh
> 53,55c53,55
> < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchfn
> < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchpass
> < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchsh
> ---
> > 8270 -r-sr-xr-x 1 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchfn
> > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchpass
> > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchsh
>
>
> So, how paranoid am I here? How concerned am I?
> What compromised of my system just took place?
> Couple things to notice:
>
> - The files now take fewer 512K blocks,
> but their sizes are the same?
>
> - Most of the inodes staid the same. Exact same.
> Are these hard linked files? Should be, right?
>
> - The inode for ypchfn changed!
> It's no longer hard linked, right?
>
> No form of disk restructuring, fsck, defrag, etc, was initiated by me.
>
> Note that:
>
> www 181 # cmp /usr/bin/{ypchpass,ypchfn}
> /usr/bin/ypchpass /usr/bin/ypchfn differ: char 25, line 1
>
> Here is a `strings /usr/bin/ypchfn`:
>
> www 182 # strings /usr/bin/ypchfn
> /usr/libexec/ld-elf.so.1
> FreeBSD
> libcrypt.so.2
> _DYNAMIC
> _init
> __deregister_frame_info
> crypt
> strcmp
> _fini
> _GLOBAL_OFFSET_TABLE_
> __register_frame_info
> libc.so.4
> strerror
> execl
> environ
> fprintf
> __progname
> __error
> setgid
> __sF
> execv
> getpwuid
> getpwnam
> atexit
> exit
> strchr
> execvp
> setuid
> _etext
> _edata
> __bss_start
> _end
> 8/u
> QR2cc.wsLFbKU
> root
>
> If someone didn't hack my system, I took a disk hit and lost
> part of that file, right?
>
> What other log files am I disecting or where else am I poking
> for further evidence?
>
> Am I blowing away the bogus(?) /usr/bin/ypchfn and re-making
> it a hard link to the others again?
>
> jdl
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7XbTTv8Bofna59hYRA/qmAJ94c+qf42IHuHEzpc9XTomFyoE02ACgpD2V
0paUeTayTHx4/WC6YDwkWxQ=
=yz9c
-----END PGP SIGNATURE-----

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Re: Security Check Diffs Question
    ... If you have access to the same binaries on another machine, ... > - Most of the inodes staid the same. ... > No form of disk restructuring, fsck, defrag, etc, was initiated by me. ... Version: GnuPG v1.0.6 (FreeBSD) ...
    (FreeBSD-Security)
  • Re: Unfortunate dynamic linking for everything
    ... then for shells the FreeBSD VM shares maximally without using ... only thing that has changed recently is a few binaries in /bin and /sbin. ... "once during boot" case is interesting in the aggregate, ... Shells, which are run for extended periods of time, and which are ...
    (freebsd-current)
  • Re: ELF dynamic loader name [was: sbrk(2) broken]
    ... While this doesn't count as an explicit vote against the rename, ... gdb is built to debug binaries for a particular architecture. ... this is the first time that FreeBSD ... Now we are concidering to deploy amd64, ...
    (freebsd-current)
  • Re: differences between /bin, /usr/bin and /usr/local/bin
    ... all *existing* versions FreeBSD ships only static binaries in /bin. ... the BSD traditionalists in that thread are ... Sun has announced that there will be no static system libraries at all ...
    (comp.unix.programmer)