On Fri, Apr 12, 2002 at 02:28:42PM +0100, Greg MATTHEWS wrote:
> just got this mail on my netbsd box:
> 
> Date:    Fri, 12 Apr 2002 03:33:40 GMT
> To:      root
> From:    Charlie Root <root>
> Subject: potomac daily insecurity output for Fri Apr 12 03:15:01 GMT 2002
> 
> Return-Path: daemon
> Delivery-Date: Fri Apr 12 03:33:41 2002
> Return-Path: <root>
> 
> 
> Checking setuid files and devices:
> Setuid/device find errors:
> find: fts_read: No such file or directory
> 
> Setuid deletions:
> -r-xr-sr-x 1 root operator 68436 Jan 18 00:57:34 2002 /bin/df
> -r-sr-xr-x 1 root wheel 313784 Jan 18 00:58:14 2002 /bin/rcmd
> -r-xr-sr-x 1 root kmem 131240 Jan 18 00:59:46 2002 /sbin/ccdconfig
> -r-xr-sr-x 2 root tty 372680 Jan 18 01:01:46 2002 /sbin/dump
> -r-xr-sr-x 2 root tty 373300 Jan 18 01:02:08 2002 /sbin/dump_lfs
> -r-sr-xr-x 1 root wheel 275820 Jan 18 01:00:32 2002 /sbin/ping
> -r-sr-xr-x 1 root wheel 287724 Jan 18 01:02:41 2002 /sbin/ping6
> -r-xr-sr-x 2 root tty 372680 Jan 18 01:01:46 2002 /sbin/rdump
> -r-xr-sr-x 2 root tty 373300 Jan 18 01:02:08 2002 /sbin/rdump_lfs
> -r-sr-xr-- 1 root operator 296588 Jan 18 01:00:59 2002 /sbin/shutdown
> 
> what going on? i havent done anything to this box recently. should i be 
> worried? seems like a strange little subset of binaries to be a rootkit.

Did you check what the permission on the files are now ?

--
Manuel Bouyer, LIP6, Universite Paris VI.           Manuel.Bouyer@lip6.fr
     NetBSD: 23 ans d'experience feront toujours la difference
--