Subject: Setuid deletions
To: None <netbsd-users@netbsd.org>
From: Petar Bogdanovic <p.netbsd@2005.smokva.net>
List: netbsd-users
Date: 12/15/2005 11:18:03
Hi!
I just got this mail from a NetBSD 3-0-RC1 box:
********************************************************
Checking setuid files and devices:
Setuid/device find errors:
find: ipw: Authentication error
Setuid deletions:
-r-xr-sr-x 1 root kmem 15252 Nov 21 14:23:06 2005 /sbin/ccdconfig
-r-sr-xr-x 1 root wheel 27334 Nov 21 14:23:14 2005 /sbin/ping
-r-sr-xr-x 1 root wheel 35927 Nov 21 14:23:28 2005 /sbin/ping6
-r-sr-xr-- 1 root operator 14463 Nov 21 14:23:17 2005 /sbin/shutdown
********************************************************
The 'Authentication error' is irrelevant - it's just an old smbfs-share
which got disconnected because the smb-server went down.
But the 'Setuid deletions' are impossible - I've never touched this
files since the very first day of this box.. :(
Am I being hacked?
Thank you & with kind regards,
Petar
P.S:
********************************************************
$ pwd
/sbin
$ ls -la ccdconfig ping ping6 shutdown
-r-xr-sr-x 1 root kmem 15252 Nov 21 15:23 ccdconfig
-r-sr-xr-x 1 root wheel 27334 Nov 21 15:23 ping
-r-sr-xr-x 1 root wheel 35927 Nov 21 15:23 ping6
-r-sr-xr-- 1 root operator 14463 Nov 21 15:23 shutdown
********************************************************