> 
> Setuid deletions:
> -r-xr-sr-x 1 root operator 68436 Jan 18 00:57:34 2002 /bin/df
> -r-sr-xr-x 1 root wheel 313784 Jan 18 00:58:14 2002 /bin/rcmd
> -r-xr-sr-x 1 root kmem 131240 Jan 18 00:59:46 2002 /sbin/ccdconfig
> -r-xr-sr-x 2 root tty 372680 Jan 18 01:01:46 2002 /sbin/dump
> -r-xr-sr-x 2 root tty 373300 Jan 18 01:02:08 2002 /sbin/dump_lfs
> -r-sr-xr-x 1 root wheel 275820 Jan 18 01:00:32 2002 /sbin/ping
> -r-sr-xr-x 1 root wheel 287724 Jan 18 01:02:41 2002 /sbin/ping6
> -r-xr-sr-x 2 root tty 372680 Jan 18 01:01:46 2002 /sbin/rdump
> -r-xr-sr-x 2 root tty 373300 Jan 18 01:02:08 2002 /sbin/rdump_lfs
> -r-sr-xr-- 1 root operator 296588 Jan 18 01:00:59 2002 /sbin/shutdown
> 
> what going on? i havent done anything to this box recently. should i be 
> worried? seems like a strange little subset of binaries to be a rootkit.

Are those files gone, or have their permission just changed?  If they're
gone, has the machine re-booted lately from a crash or other un-clean
shutdown?  Have you checked '/lost+found' for these missing files?

David S.

>