Hi all,
Today I saw this in my host's security run output:
Code:
vpn-gateway setuid diffs:
--- /var/log/setuid.today 2008-05-26 05:02:15.000000000 +0200
+++ /tmp/security.0L5p4t7k 2008-06-23 05:02:29.000000000 +0200
@@ -1,46 +1,46 @@
-49737 -r-sr-xr-x 1 root wheel 18540 Feb 24 17:50:52 2008 /bin/rcp
-16512 -r-sr-x--- 1 root operator 5256 Feb 24 17:51:42 2008 /sbin/mksnap_ffs
-16528 -r-sr-xr-x 1 root wheel 23872 Feb 24 17:51:43 2008 /sbin/ping
-16529 -r-sr-xr-x 1 root wheel 31196 Feb 24 17:51:43 2008 /sbin/ping6
-16544 -r-sr-x--- 1 root operator 10700 Feb 24 17:51:44 2008 /sbin/shutdown
-1483879 -r-sr-xr-x 4 root wheel 21520 Feb 24 17:52:33 2008 /usr/bin/at
-1483879 -r-sr-xr-x 4 root wheel 21520 Feb 24 17:52:33 2008 /usr/bin/atq
-1483879 -r-sr-xr-x 4 root wheel 21520 Feb 24 17:52:33 2008 /usr/bin/atrm
-1483879 -r-sr-xr-x 4 root wheel 21520 Feb 24 17:52:33 2008 /usr/bin/batch
-1483886 -r-xr-sr-x 1 root kmem 9180 Feb 24 17:52:33 2008 /usr/bin/btsockstat
-1483901 -r-sr-xr-x 6 root wheel 18468 Feb 24 17:52:34 2008 /usr/bin/chfn
-1483901 -r-sr-xr-x 6 root wheel 18468 Feb 24 17:52:34 2008 /usr/bin/chpass
-1483901 -r-sr-xr-x 6 root wheel 18468 Feb 24 17:52:34 2008 /usr/bin/chsh
-1484110 -r-sr-xr-x 1 root wheel 26092 Feb 24 17:52:57 2008 /usr/bin/crontab
-1483934 -r-xr-sr-x 1 root kmem 15468 Feb 24 17:52:37 2008 /usr/bin/fstat
-1483979 -r-sr-xr-x 1 root wheel 8296 Feb 24 17:52:42 2008 /usr/bin/lock
-1483982 -r-sr-xr-x 1 root wheel 21556 Feb 24 17:52:42 2008 /usr/bin/login
-1484114 -r-sr-sr-x 1 root daemon 25876 Feb 24 17:53:03 2008 /usr/bin/lpq
-1484115 -r-sr-sr-x 1 root daemon 29368 Feb 24 17:53:03 2008 /usr/bin/lpr
-1484116 -r-sr-sr-x 1 root daemon 24600 Feb 24 17:53:03 2008 /usr/bin/lprm
-1484006 -r-xr-sr-x 1 root kmem 141832 Feb 24 17:52:44 2008 /usr/bin/netstat
-1484014 -r-sr-xr-x 1 root wheel 4572 Feb 24 17:52:45 2008 /usr/bin/opieinfo
-1484016 -r-sr-xr-x 1 root wheel 11652 Feb 24 17:52:45 2008 /usr/bin/opiepasswd
-1484018 -r-sr-xr-x 2 root wheel 6020 Feb 24 17:52:45 2008 /usr/bin/passwd
-1484029 -r-sr-xr-x 1 root wheel 10828 Feb 24 17:52:45 2008 /usr/bin/rlogin
-1484033 -r-sr-xr-x 1 root wheel 8640 Feb 24 17:52:46 2008 /usr/bin/rsh
-1484047 -r-sr-xr-x 1 root wheel 14472 Feb 24 17:52:46 2008 /usr/bin/su
-1484090 -r-xr-sr-x 1 root tty 11252 Feb 24 17:52:50 2008 /usr/bin/wall
-1484098 -r-xr-sr-x 1 root tty 8708 Feb 24 17:52:50 2008 /usr/bin/write
-1483901 -r-sr-xr-x 6 root wheel 18468 Feb 24 17:52:34 2008 /usr/bin/ypchfn
-1483901 -r-sr-xr-x 6 root wheel 18468 Feb 24 17:52:34 2008 /usr/bin/ypchpass
-1483901 -r-sr-xr-x 6 root wheel 18468 Feb 24 17:52:34 2008 /usr/bin/ypchsh
-1484018 -r-sr-xr-x 2 root wheel 6020 Feb 24 17:52:45 2008 /usr/bin/yppasswd
-1719312 -r-sr-xr-x 1 root wheel 3372 Feb 24 17:50:49 2008 /usr/libexec/pt_chown
-1719355 -r-xr-sr-x 1 root smmsp 665464 Feb 24 17:53:13 2008 /usr/libexec/sendmail/sendmail
-215785 -rwsr-xr-x 1 root wheel 20347 May 25 21:03:39 2008 /usr/local/bin/lppasswd
-212610 -rwsr-xr-x 1 root wheel 303476 May 8 12:38:13 2008 /usr/local/bin/screen
-1742879 -r-sr-sr-x 1 root authpf 18636 Feb 24 17:52:54 2008 /usr/sbin/authpf
-1742959 -r-xr-sr-x 1 root daemon 46064 Feb 24 17:53:03 2008 /usr/sbin/lpc
-1743020 -r-sr-x--- 1 root network 368516 Feb 24 17:53:09 2008 /usr/sbin/ppp
-1743022 -r-sr-x--- 1 root dialer 117164 Feb 24 17:53:09 2008 /usr/sbin/pppd
-1743057 -r-sr-x--- 1 root network 14332 Feb 24 17:53:14 2008 /usr/sbin/sliplogin
-1743070 -r-sr-xr-x 1 root wheel 15596 Feb 24 17:53:15 2008 /usr/sbin/timedc
-1743071 -r-sr-xr-x 1 root wheel 23404 Feb 24 17:53:15 2008 /usr/sbin/traceroute
-1743072 -r-sr-xr-x 1 root wheel 18396 Feb 24 17:53:15 2008 /usr/sbin/traceroute6
-1743073 -r-xr-sr-x 1 root kmem 8644 Feb 24 17:53:15 2008 /usr/sbin/trpt
+49737 -r-sr-xr-x 1 root wheel 18540 Feb 24 18:50:52 2008 /bin/rcp
+16512 -r-sr-x--- 1 root operator 5256 Feb 24 18:51:42 2008 /sbin/mksnap_ffs
+16528 -r-sr-xr-x 1 root wheel 23872 Feb 24 18:51:43 2008 /sbin/ping
+16529 -r-sr-xr-x 1 root wheel 31196 Feb 24 18:51:43 2008 /sbin/ping6
+16544 -r-sr-x--- 1 root operator 10700 Feb 24 18:51:44 2008 /sbin/shutdown
+1483879 -r-sr-xr-x 4 root wheel 21520 Feb 24 18:52:33 2008 /usr/bin/at
+1483879 -r-sr-xr-x 4 root wheel 21520 Feb 24 18:52:33 2008 /usr/bin/atq
+1483879 -r-sr-xr-x 4 root wheel 21520 Feb 24 18:52:33 2008 /usr/bin/atrm
+1483879 -r-sr-xr-x 4 root wheel 21520 Feb 24 18:52:33 2008 /usr/bin/batch
+1483886 -r-xr-sr-x 1 root kmem 9180 Feb 24 18:52:33 2008 /usr/bin/btsockstat
+1483901 -r-sr-xr-x 6 root wheel 18468 Feb 24 18:52:34 2008 /usr/bin/chfn
+1483901 -r-sr-xr-x 6 root wheel 18468 Feb 24 18:52:34 2008 /usr/bin/chpass
+1483901 -r-sr-xr-x 6 root wheel 18468 Feb 24 18:52:34 2008 /usr/bin/chsh
+1484110 -r-sr-xr-x 1 root wheel 26092 Feb 24 18:52:57 2008 /usr/bin/crontab
+1483934 -r-xr-sr-x 1 root kmem 15468 Feb 24 18:52:37 2008 /usr/bin/fstat
+1483979 -r-sr-xr-x 1 root wheel 8296 Feb 24 18:52:42 2008 /usr/bin/lock
+1483982 -r-sr-xr-x 1 root wheel 21556 Feb 24 18:52:42 2008 /usr/bin/login
+1484114 -r-sr-sr-x 1 root daemon 25876 Feb 24 18:53:03 2008 /usr/bin/lpq
+1484115 -r-sr-sr-x 1 root daemon 29368 Feb 24 18:53:03 2008 /usr/bin/lpr
+1484116 -r-sr-sr-x 1 root daemon 24600 Feb 24 18:53:03 2008 /usr/bin/lprm
+1484006 -r-xr-sr-x 1 root kmem 141832 Feb 24 18:52:44 2008 /usr/bin/netstat
+1484014 -r-sr-xr-x 1 root wheel 4572 Feb 24 18:52:45 2008 /usr/bin/opieinfo
+1484016 -r-sr-xr-x 1 root wheel 11652 Feb 24 18:52:45 2008 /usr/bin/opiepasswd
+1484018 -r-sr-xr-x 2 root wheel 6020 Feb 24 18:52:45 2008 /usr/bin/passwd
+1484029 -r-sr-xr-x 1 root wheel 10828 Feb 24 18:52:45 2008 /usr/bin/rlogin
+1484033 -r-sr-xr-x 1 root wheel 8640 Feb 24 18:52:46 2008 /usr/bin/rsh
+1484047 -r-sr-xr-x 1 root wheel 14472 Feb 24 18:52:46 2008 /usr/bin/su
+1484090 -r-xr-sr-x 1 root tty 11252 Feb 24 18:52:50 2008 /usr/bin/wall
+1484098 -r-xr-sr-x 1 root tty 8708 Feb 24 18:52:50 2008 /usr/bin/write
+1483901 -r-sr-xr-x 6 root wheel 18468 Feb 24 18:52:34 2008 /usr/bin/ypchfn
+1483901 -r-sr-xr-x 6 root wheel 18468 Feb 24 18:52:34 2008 /usr/bin/ypchpass
+1483901 -r-sr-xr-x 6 root wheel 18468 Feb 24 18:52:34 2008 /usr/bin/ypchsh
+1484018 -r-sr-xr-x 2 root wheel 6020 Feb 24 18:52:45 2008 /usr/bin/yppasswd
+1719312 -r-sr-xr-x 1 root wheel 3372 Feb 24 18:50:49 2008 /usr/libexec/pt_chown
+1719355 -r-xr-sr-x 1 root smmsp 665464 Feb 24 18:53:13 2008 /usr/libexec/sendmail/sendmail
+215785 -rwsr-xr-x 1 root wheel 20347 May 25 23:03:39 2008 /usr/local/bin/lppasswd
+212610 -rwsr-xr-x 1 root wheel 303476 May 8 14:38:13 2008 /usr/local/bin/screen
+1742879 -r-sr-sr-x 1 root authpf 18636 Feb 24 18:52:54 2008 /usr/sbin/authpf
+1742959 -r-xr-sr-x 1 root daemon 46064 Feb 24 18:53:03 2008 /usr/sbin/lpc
+1743020 -r-sr-x--- 1 root network 368516 Feb 24 18:53:09 2008 /usr/sbin/ppp
+1743022 -r-sr-x--- 1 root dialer 117164 Feb 24 18:53:09 2008 /usr/sbin/pppd
+1743057 -r-sr-x--- 1 root network 14332 Feb 24 18:53:14 2008 /usr/sbin/sliplogin
+1743070 -r-sr-xr-x 1 root wheel 15596 Feb 24 18:53:15 2008 /usr/sbin/timedc
+1743071 -r-sr-xr-x 1 root wheel 23404 Feb 24 18:53:15 2008 /usr/sbin/traceroute
+1743072 -r-sr-xr-x 1 root wheel 18396 Feb 24 18:53:15 2008 /usr/sbin/traceroute6
+1743073 -r-xr-sr-x 1 root kmem 8644 Feb 24 18:53:15 2008 /usr/sbin/trpt
I never saw it before and I wonder what this could mean and what it is causing... it seems like nothing has been changed.
Thanks in advance!