Quentin Garnier wrote:
 > On Thu, Dec 15, 2005 at 11:18:03AM +0100, Petar Bogdanovic wrote:
 >> Hi!
 >>
 >> I just got this mail from a NetBSD 3-0-RC1 box:
 >>
 >> ********************************************************
 >> Checking setuid files and devices:
 >> Setuid/device find errors:
 >> find: ipw: Authentication error
 >>
 >> Setuid deletions:
 >> -r-xr-sr-x 1 root kmem 15252 Nov 21 14:23:06 2005 /sbin/ccdconfig
 >> -r-sr-xr-x 1 root wheel 27334 Nov 21 14:23:14 2005 /sbin/ping
 >> -r-sr-xr-x 1 root wheel 35927 Nov 21 14:23:28 2005 /sbin/ping6
 >> -r-sr-xr-- 1 root operator 14463 Nov 21 14:23:17 2005 /sbin/shutdown
 >> ********************************************************
 >>
 >>
 >> The 'Authentication error' is irrelevant - it's just an old smbfs-share
 >> which got disconnected because the smb-server went down.
 >>
 >> But the 'Setuid deletions' are impossible - I've never touched this
 >> files since the very first day of this box.. :(
 >>
 >> Am I being hacked?
 >
 > I think the Authentication error is probably relevant.  If find stopped
 > after that, it didn't find the other files, and then the script found a
 > diff between the stored list and and the current one.
 >
 > As you state the file are still there.
 >

Thank you, this makes sense.

's' comes after 'm' and because the smb-share was mounted on /mnt/smb, 
find couldn't reach /sbin.

I assume, the security-report of tomorrow will contain 'Setuid 
additions' of ccdconfig, ping, ping6 and shutdown..


Thanks again.

Petar