DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 28th June 2008
deadeyes deadeyes is offline
Port Guard
 
Join Date: Jun 2008
Posts: 19
Thanked 0 Times in 0 Posts
Default strange security run output

Hi all,

Today I saw this in my host's security run output:
Code:
vpn-gateway setuid diffs:
--- /var/log/setuid.today       2008-05-26 05:02:15.000000000 +0200
+++ /tmp/security.0L5p4t7k      2008-06-23 05:02:29.000000000 +0200
@@ -1,46 +1,46 @@
-49737 -r-sr-xr-x  1 root  wheel      18540 Feb 24 17:50:52 2008 /bin/rcp
-16512 -r-sr-x---  1 root  operator    5256 Feb 24 17:51:42 2008 /sbin/mksnap_ffs
-16528 -r-sr-xr-x  1 root  wheel      23872 Feb 24 17:51:43 2008 /sbin/ping
-16529 -r-sr-xr-x  1 root  wheel      31196 Feb 24 17:51:43 2008 /sbin/ping6
-16544 -r-sr-x---  1 root  operator   10700 Feb 24 17:51:44 2008 /sbin/shutdown
-1483879 -r-sr-xr-x  4 root  wheel      21520 Feb 24 17:52:33 2008 /usr/bin/at
-1483879 -r-sr-xr-x  4 root  wheel      21520 Feb 24 17:52:33 2008 /usr/bin/atq
-1483879 -r-sr-xr-x  4 root  wheel      21520 Feb 24 17:52:33 2008 /usr/bin/atrm
-1483879 -r-sr-xr-x  4 root  wheel      21520 Feb 24 17:52:33 2008 /usr/bin/batch
-1483886 -r-xr-sr-x  1 root  kmem        9180 Feb 24 17:52:33 2008 /usr/bin/btsockstat
-1483901 -r-sr-xr-x  6 root  wheel      18468 Feb 24 17:52:34 2008 /usr/bin/chfn
-1483901 -r-sr-xr-x  6 root  wheel      18468 Feb 24 17:52:34 2008 /usr/bin/chpass
-1483901 -r-sr-xr-x  6 root  wheel      18468 Feb 24 17:52:34 2008 /usr/bin/chsh
-1484110 -r-sr-xr-x  1 root  wheel     26092 Feb 24 17:52:57 2008 /usr/bin/crontab
-1483934 -r-xr-sr-x  1 root  kmem       15468 Feb 24 17:52:37 2008 /usr/bin/fstat
-1483979 -r-sr-xr-x  1 root  wheel       8296 Feb 24 17:52:42 2008 /usr/bin/lock
-1483982 -r-sr-xr-x  1 root  wheel      21556 Feb 24 17:52:42 2008 /usr/bin/login
-1484114 -r-sr-sr-x  1 root  daemon    25876 Feb 24 17:53:03 2008 /usr/bin/lpq
-1484115 -r-sr-sr-x  1 root  daemon    29368 Feb 24 17:53:03 2008 /usr/bin/lpr
-1484116 -r-sr-sr-x  1 root  daemon    24600 Feb 24 17:53:03 2008 /usr/bin/lprm
-1484006 -r-xr-sr-x  1 root  kmem      141832 Feb 24 17:52:44 2008 /usr/bin/netstat
-1484014 -r-sr-xr-x  1 root  wheel      4572 Feb 24 17:52:45 2008 /usr/bin/opieinfo
-1484016 -r-sr-xr-x  1 root  wheel     11652 Feb 24 17:52:45 2008 /usr/bin/opiepasswd
-1484018 -r-sr-xr-x  2 root  wheel      6020 Feb 24 17:52:45 2008 /usr/bin/passwd
-1484029 -r-sr-xr-x  1 root  wheel     10828 Feb 24 17:52:45 2008 /usr/bin/rlogin
-1484033 -r-sr-xr-x  1 root  wheel      8640 Feb 24 17:52:46 2008 /usr/bin/rsh
-1484047 -r-sr-xr-x  1 root  wheel     14472 Feb 24 17:52:46 2008 /usr/bin/su
-1484090 -r-xr-sr-x  1 root  tty       11252 Feb 24 17:52:50 2008 /usr/bin/wall
-1484098 -r-xr-sr-x  1 root  tty        8708 Feb 24 17:52:50 2008 /usr/bin/write
-1483901 -r-sr-xr-x  6 root  wheel      18468 Feb 24 17:52:34 2008 /usr/bin/ypchfn
-1483901 -r-sr-xr-x  6 root  wheel      18468 Feb 24 17:52:34 2008 /usr/bin/ypchpass
-1483901 -r-sr-xr-x  6 root  wheel      18468 Feb 24 17:52:34 2008 /usr/bin/ypchsh
-1484018 -r-sr-xr-x  2 root  wheel      6020 Feb 24 17:52:45 2008 /usr/bin/yppasswd
-1719312 -r-sr-xr-x  1 root  wheel      3372 Feb 24 17:50:49 2008 /usr/libexec/pt_chown
-1719355 -r-xr-sr-x  1 root  smmsp    665464 Feb 24 17:53:13 2008 /usr/libexec/sendmail/sendmail
-215785 -rwsr-xr-x  1 root  wheel     20347 May 25 21:03:39 2008 /usr/local/bin/lppasswd
-212610 -rwsr-xr-x  1 root  wheel    303476 May  8 12:38:13 2008 /usr/local/bin/screen
-1742879 -r-sr-sr-x  1 root  authpf    18636 Feb 24 17:52:54 2008 /usr/sbin/authpf
-1742959 -r-xr-sr-x  1 root  daemon    46064 Feb 24 17:53:03 2008 /usr/sbin/lpc
-1743020 -r-sr-x---  1 root  network  368516 Feb 24 17:53:09 2008 /usr/sbin/ppp
-1743022 -r-sr-x---  1 root  dialer   117164 Feb 24 17:53:09 2008 /usr/sbin/pppd
-1743057 -r-sr-x---  1 root  network   14332 Feb 24 17:53:14 2008 /usr/sbin/sliplogin
-1743070 -r-sr-xr-x  1 root  wheel     15596 Feb 24 17:53:15 2008 /usr/sbin/timedc
-1743071 -r-sr-xr-x  1 root  wheel     23404 Feb 24 17:53:15 2008 /usr/sbin/traceroute
-1743072 -r-sr-xr-x  1 root  wheel     18396 Feb 24 17:53:15 2008 /usr/sbin/traceroute6
-1743073 -r-xr-sr-x  1 root  kmem       8644 Feb 24 17:53:15 2008 /usr/sbin/trpt
+49737 -r-sr-xr-x  1 root  wheel      18540 Feb 24 18:50:52 2008 /bin/rcp
+16512 -r-sr-x---  1 root  operator    5256 Feb 24 18:51:42 2008 /sbin/mksnap_ffs
+16528 -r-sr-xr-x  1 root  wheel      23872 Feb 24 18:51:43 2008 /sbin/ping
+16529 -r-sr-xr-x  1 root  wheel      31196 Feb 24 18:51:43 2008 /sbin/ping6
+16544 -r-sr-x---  1 root  operator   10700 Feb 24 18:51:44 2008 /sbin/shutdown
+1483879 -r-sr-xr-x  4 root  wheel      21520 Feb 24 18:52:33 2008 /usr/bin/at
+1483879 -r-sr-xr-x  4 root  wheel      21520 Feb 24 18:52:33 2008 /usr/bin/atq
+1483879 -r-sr-xr-x  4 root  wheel      21520 Feb 24 18:52:33 2008 /usr/bin/atrm
+1483879 -r-sr-xr-x  4 root  wheel      21520 Feb 24 18:52:33 2008 /usr/bin/batch
+1483886 -r-xr-sr-x  1 root  kmem        9180 Feb 24 18:52:33 2008 /usr/bin/btsockstat
+1483901 -r-sr-xr-x  6 root  wheel      18468 Feb 24 18:52:34 2008 /usr/bin/chfn
+1483901 -r-sr-xr-x  6 root  wheel      18468 Feb 24 18:52:34 2008 /usr/bin/chpass
+1483901 -r-sr-xr-x  6 root  wheel      18468 Feb 24 18:52:34 2008 /usr/bin/chsh
+1484110 -r-sr-xr-x  1 root  wheel     26092 Feb 24 18:52:57 2008 /usr/bin/crontab
+1483934 -r-xr-sr-x  1 root  kmem       15468 Feb 24 18:52:37 2008 /usr/bin/fstat
+1483979 -r-sr-xr-x  1 root  wheel       8296 Feb 24 18:52:42 2008 /usr/bin/lock
+1483982 -r-sr-xr-x  1 root  wheel      21556 Feb 24 18:52:42 2008 /usr/bin/login
+1484114 -r-sr-sr-x  1 root  daemon    25876 Feb 24 18:53:03 2008 /usr/bin/lpq
+1484115 -r-sr-sr-x  1 root  daemon    29368 Feb 24 18:53:03 2008 /usr/bin/lpr
+1484116 -r-sr-sr-x  1 root  daemon    24600 Feb 24 18:53:03 2008 /usr/bin/lprm
+1484006 -r-xr-sr-x  1 root  kmem      141832 Feb 24 18:52:44 2008 /usr/bin/netstat
+1484014 -r-sr-xr-x  1 root  wheel      4572 Feb 24 18:52:45 2008 /usr/bin/opieinfo
+1484016 -r-sr-xr-x  1 root  wheel     11652 Feb 24 18:52:45 2008 /usr/bin/opiepasswd
+1484018 -r-sr-xr-x  2 root  wheel      6020 Feb 24 18:52:45 2008 /usr/bin/passwd
+1484029 -r-sr-xr-x  1 root  wheel     10828 Feb 24 18:52:45 2008 /usr/bin/rlogin
+1484033 -r-sr-xr-x  1 root  wheel      8640 Feb 24 18:52:46 2008 /usr/bin/rsh
+1484047 -r-sr-xr-x  1 root  wheel     14472 Feb 24 18:52:46 2008 /usr/bin/su
+1484090 -r-xr-sr-x  1 root  tty       11252 Feb 24 18:52:50 2008 /usr/bin/wall
+1484098 -r-xr-sr-x  1 root  tty        8708 Feb 24 18:52:50 2008 /usr/bin/write
+1483901 -r-sr-xr-x  6 root  wheel      18468 Feb 24 18:52:34 2008 /usr/bin/ypchfn
+1483901 -r-sr-xr-x  6 root  wheel      18468 Feb 24 18:52:34 2008 /usr/bin/ypchpass
+1483901 -r-sr-xr-x  6 root  wheel      18468 Feb 24 18:52:34 2008 /usr/bin/ypchsh
+1484018 -r-sr-xr-x  2 root  wheel      6020 Feb 24 18:52:45 2008 /usr/bin/yppasswd
+1719312 -r-sr-xr-x  1 root  wheel      3372 Feb 24 18:50:49 2008 /usr/libexec/pt_chown
+1719355 -r-xr-sr-x  1 root  smmsp    665464 Feb 24 18:53:13 2008 /usr/libexec/sendmail/sendmail
+215785 -rwsr-xr-x  1 root  wheel     20347 May 25 23:03:39 2008 /usr/local/bin/lppasswd
+212610 -rwsr-xr-x  1 root  wheel    303476 May  8 14:38:13 2008 /usr/local/bin/screen
+1742879 -r-sr-sr-x  1 root  authpf    18636 Feb 24 18:52:54 2008 /usr/sbin/authpf
+1742959 -r-xr-sr-x  1 root  daemon    46064 Feb 24 18:53:03 2008 /usr/sbin/lpc
+1743020 -r-sr-x---  1 root  network  368516 Feb 24 18:53:09 2008 /usr/sbin/ppp
+1743022 -r-sr-x---  1 root  dialer   117164 Feb 24 18:53:09 2008 /usr/sbin/pppd
+1743057 -r-sr-x---  1 root  network   14332 Feb 24 18:53:14 2008 /usr/sbin/sliplogin
+1743070 -r-sr-xr-x  1 root  wheel     15596 Feb 24 18:53:15 2008 /usr/sbin/timedc
+1743071 -r-sr-xr-x  1 root  wheel     23404 Feb 24 18:53:15 2008 /usr/sbin/traceroute
+1743072 -r-sr-xr-x  1 root  wheel     18396 Feb 24 18:53:15 2008 /usr/sbin/traceroute6
+1743073 -r-xr-sr-x  1 root  kmem       8644 Feb 24 18:53:15 2008 /usr/sbin/trpt
I never saw it before and I wonder what this could mean and what it is causing... it seems like nothing has been changed.

Thanks in advance!
Reply With Quote
  #2   (View Single Post)  
Old 28th June 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

Did you rebuild your userland?
Reply With Quote
  #3   (View Single Post)  
Old 28th June 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 446
Thanked 69 Times in 46 Posts
Default

To elaborate on that a bit, you're looking at a unified diff(1) in your security output.

It appears that a number of setuid/setgid binaries on your system have changed since the last time the periodic security scripts ran. As BSDfan666 asks, this could be related to rebuilding world.
__________________
Kill your t.v.
Reply With Quote
  #4   (View Single Post)  
Old 30th June 2008
deadeyes deadeyes is offline
Port Guard
 
Join Date: Jun 2008
Posts: 19
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by anomie View Post
To elaborate on that a bit, you're looking at a unified diff(1) in your security output.

It appears that a number of setuid/setgid binaries on your system have changed since the last time the periodic security scripts ran. As BSDfan666 asks, this could be related to rebuilding world.
I know it is a diff output... but if you compare for example the /bin/rcp then the - line is the same as the + line. :s So I don't get why it does give this output.

As far as I know, I didn't compiled in userland lately. :s
I thought it was maybe the work of a hacker but I don't know why the permissions are still the same.

Still thanks though for you input guys!
Reply With Quote
  #5   (View Single Post)  
Old 30th June 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 446
Thanked 69 Times in 46 Posts
Default

Quote:
Originally Posted by deadeyes
... if you compare for example the /bin/rcp then the - line is the same as the + line.
Actually it isn't the same. If you look carefully you'll see that the mtime is off by exactly one hour. There was another thread similar to this some time ago (you might try searching for it).

My next WAG is that you modified the timezone recently..?
__________________
Kill your t.v.
Reply With Quote
  #6   (View Single Post)  
Old 2nd July 2008
deadeyes deadeyes is offline
Port Guard
 
Join Date: Jun 2008
Posts: 19
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by anomie View Post
Actually it isn't the same. If you look carefully you'll see that the mtime is off by exactly one hour. There was another thread similar to this some time ago (you might try searching for it).

My next WAG is that you modified the timezone recently..?
I installed ntpdate this changed the date...
that will be what is causing it

thanks man!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
dwm status bar won't display apm output asemisldkfj General software and network 6 16th August 2009 11:07 PM
echo tcpdump date to an output bsdnewbie999 Programming 8 8th April 2009 02:58 PM
strange dmesg output gosha OpenBSD General 4 11th March 2009 01:10 PM
Digital sound output Zodox FreeBSD General 5 12th November 2008 02:21 PM
C and file input/output 18Googol2 Programming 3 20th August 2008 04:02 PM


All times are GMT. The time now is 04:53 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick