Subject: Re: Setuid deletions
To: Petar Bogdanovic <p.netbsd@2005.smokva.net>
From: Quentin Garnier <cube@cubidou.net>
List: netbsd-users
Date: 12/15/2005 11:28:43
--ahZICQ7iXVM/oLYH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Dec 15, 2005 at 11:18:03AM +0100, Petar Bogdanovic wrote:
> Hi!
>=20
> I just got this mail from a NetBSD 3-0-RC1 box:
>=20
> ********************************************************
> Checking setuid files and devices:
> Setuid/device find errors:
> find: ipw: Authentication error
>=20
> Setuid deletions:
> -r-xr-sr-x 1 root kmem 15252 Nov 21 14:23:06 2005 /sbin/ccdconfig
> -r-sr-xr-x 1 root wheel 27334 Nov 21 14:23:14 2005 /sbin/ping
> -r-sr-xr-x 1 root wheel 35927 Nov 21 14:23:28 2005 /sbin/ping6
> -r-sr-xr-- 1 root operator 14463 Nov 21 14:23:17 2005 /sbin/shutdown
> ********************************************************
>=20
>=20
> The 'Authentication error' is irrelevant - it's just an old smbfs-share=
=20
> which got disconnected because the smb-server went down.
>=20
> But the 'Setuid deletions' are impossible - I've never touched this=20
> files since the very first day of this box.. :(
>=20
> Am I being hacked?

I think the Authentication error is probably relevant.  If find stopped
after that, it didn't find the other files, and then the script found a
diff between the stored list and and the current one.

As you state the file are still there.

--=20
Quentin Garnier - cube@cubidou.net - cube@NetBSD.org
"When I find the controls, I'll go where I like, I'll know where I want
to be, but maybe for now I'll stay right here on a silent sea."
KT Tunstall, Silent Sea, Eye to the Telescope, 2004.

--ahZICQ7iXVM/oLYH
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (NetBSD)

iQEVAwUBQ6FFW9goQloHrPnoAQIIFAgAuqoH5RAzxpw+pni0iwk7OcQnvHDDz7wr
I+tITIc+Rg8jmwErOMiFr0xxXbcefUuQkJGZpQvf1xzunjylQmnrejr5NkiSMl8U
lZNs8g6MKqONJ7TcYxF6YJI0luOsWJnJDj2/4qgdqectrR4TpG8AxkiloRGuRlQX
SupaIYbiOmBQDRGvNYLzehA2mmRM1a26BA6s63PGK+uVMJpXPsgvFNBpu2JPkMnI
wrxDTv9zOGMNTioyz2nckNl4vvyXFL9opI465z+GUwjTbKm4b6ikesjV9kQ9q0Yn
/dNyjo1LNRGl1hcSiTWJ00ahmLkAHHL/GfO3iDW7vKClSjGd5B62PA==
=3d32
-----END PGP SIGNATURE-----

--ahZICQ7iXVM/oLYH--