Subject: Setuid deletions
To: None <netbsd-users@netbsd.org>
From: Petar Bogdanovic <p.netbsd@2005.smokva.net>
List: netbsd-users
Date: 12/15/2005 11:18:03
Hi!

I just got this mail from a NetBSD 3-0-RC1 box:

********************************************************
Checking setuid files and devices:
Setuid/device find errors:
find: ipw: Authentication error

Setuid deletions:
-r-xr-sr-x 1 root kmem 15252 Nov 21 14:23:06 2005 /sbin/ccdconfig
-r-sr-xr-x 1 root wheel 27334 Nov 21 14:23:14 2005 /sbin/ping
-r-sr-xr-x 1 root wheel 35927 Nov 21 14:23:28 2005 /sbin/ping6
-r-sr-xr-- 1 root operator 14463 Nov 21 14:23:17 2005 /sbin/shutdown
********************************************************


The 'Authentication error' is irrelevant - it's just an old smbfs-share 
which got disconnected because the smb-server went down.

But the 'Setuid deletions' are impossible - I've never touched this 
files since the very first day of this box.. :(

Am I being hacked?


Thank you & with kind regards,

Petar


P.S:

********************************************************
$ pwd
/sbin
$ ls -la ccdconfig ping ping6 shutdown
-r-xr-sr-x  1 root  kmem      15252 Nov 21 15:23 ccdconfig
-r-sr-xr-x  1 root  wheel     27334 Nov 21 15:23 ping
-r-sr-xr-x  1 root  wheel     35927 Nov 21 15:23 ping6
-r-sr-xr--  1 root  operator  14463 Nov 21 15:23 shutdown
********************************************************