thanks for the replies... the files are still there and have the same 
permissions as listed in the 'setuid deletions' section.

baffled GREG

> On Fri, Apr 12, 2002 at 02:28:42PM +0100, Greg MATTHEWS wrote:
> > just got this mail on my netbsd box:
> > 
> > Date:    Fri, 12 Apr 2002 03:33:40 GMT
> > To:      root
> > From:    Charlie Root <root>
> > Subject: potomac daily insecurity output for Fri Apr 12 03:15:01 GMT 2002
> > 
> > Return-Path: daemon
> > Delivery-Date: Fri Apr 12 03:33:41 2002
> > Return-Path: <root>
> > 
> > 
> > Checking setuid files and devices:
> > Setuid/device find errors:
> > find: fts_read: No such file or directory
> > 
> > Setuid deletions:
> > -r-xr-sr-x 1 root operator 68436 Jan 18 00:57:34 2002 /bin/df
> > -r-sr-xr-x 1 root wheel 313784 Jan 18 00:58:14 2002 /bin/rcmd
> > -r-xr-sr-x 1 root kmem 131240 Jan 18 00:59:46 2002 /sbin/ccdconfig
> > -r-xr-sr-x 2 root tty 372680 Jan 18 01:01:46 2002 /sbin/dump
> > -r-xr-sr-x 2 root tty 373300 Jan 18 01:02:08 2002 /sbin/dump_lfs
> > -r-sr-xr-x 1 root wheel 275820 Jan 18 01:00:32 2002 /sbin/ping
> > -r-sr-xr-x 1 root wheel 287724 Jan 18 01:02:41 2002 /sbin/ping6
> > -r-xr-sr-x 2 root tty 372680 Jan 18 01:01:46 2002 /sbin/rdump
> > -r-xr-sr-x 2 root tty 373300 Jan 18 01:02:08 2002 /sbin/rdump_lfs
> > -r-sr-xr-- 1 root operator 296588 Jan 18 01:00:59 2002 /sbin/shutdown
> > 
> > what going on? i havent done anything to this box recently. should i be 
> > worried? seems like a strange little subset of binaries to be a rootkit.
> 
> Did you check what the permission on the files are now ?
> 
> --
> Manuel Bouyer, LIP6, Universite Paris VI.           Manuel.Bouyer@lip6.fr
>      NetBSD: 23 ans d'experience feront toujours la difference
> --