Investigating passwd, group and setuid diffs in status mails

Kenneth Bernholm kenneth at bernholm.dk
Thu Aug 7 05:29:04 UTC 2014 

I have found a couple of worrying messages in the FreeBSD (10) status mails and I'm not sure how to interpret the information. Both mails came in a 03:11 last night where I for the first time had left my workstation (zork) on. I have other FreeBSD 10 machines (servers) in the same LAN which are always on and they've reported nothing.

Below is the daily run output mail. I'm worried about the passwd and group diffs as I have not changed any groups or passwords for a while. My questions is: how do I investigate these diffs properly and are there any obvious explanations or reasons that I should know about?


Removing stale files from /var/preserve: Cleaning out old system announcements: Removing stale files from /var/rwho: Backup passwd and group files: zork passwd diffs: 34a35 > logcheck:(password):915:915::0:0:Logcheck system account:/var/lib/logcheck:/usr/local/bin/bashzork group diffs: 41a42,43 > ssmtp:*:916:> logcheck:*:915:Verifying group file syntax: /etc/group is fine Backing up mail aliases: Disk status: Filesystem     Size    Used   Avail Capacity  Mounted on /dev/ada0p2    140G     25G    105G    19%    / devfs          1.0K    1.0K      0B   100%    /dev /dev/da0p1     451G     22G    393G     5%    /usbdisk Network interface status: Name    Mtu Network       Address              Ipkts Ierrs Idrop    Opkts Oerrs Coll Drop em0    1500 <Link#1>      90:e2:ba:6a:c0:dc   247366     0     0   227852     0    0    0 em0    1500 192.168.1.0   zork                239442     -     -  
226920     -    -    - lo0   16384 <Link#2>                               0     0     0        0     0    0    0 lo0   16384 localhost     ::1                      0     -     -        0     -    -    - lo0   16384 fe80::1%lo0   fe80::1                  0     -     -        0     -    -    - lo0   16384 your-net      localhost                0     -     -        0     -    -    - Local system status:  3:01AM  up 22:21, 2 users, load averages: 0.24, 0.33, 0.25 Mail in local queue: mailq: Mail queue is empty Mail in submit queue: mailq: Mail queue is empty Security check:     (output mailed separately) Checking for rejected mail hosts: Backing up pkgng database: -- End of daily output --

My other worry is the daily security run output mail from the same wokstation (see below). There's a couple of setuid diffs and then a dump of old log file entries. My question is again: how do I investigate these diffs and what could cause them? Also - why the dump of the old log entries?



Checking setuid files and devices: zork setuid diffs: --- /var/log/setuid.today        2014-05-21 03:07:00.000000000 +0200 +++ /tmp/security.kNUKUHM3        2014-08-07 03:06:29.000000000 +0200 @@ -32,13 +32,15 @@  7704735 -r-sr-xr-x  6 root  wheel         22376 Jan 16 23:41:02 2014 /usr/bin/ypchpass  7704735 -r-sr-xr-x  6 root  wheel         22376 Jan 16 23:41:02 2014 /usr/bin/ypchsh  7704601 -r-sr-xr-x  2 root  wheel          8296 Jan 16 23:41:09 2014 /usr/bin/yppasswd -7791699 -r-xr-sr-x  1 root  smmsp        676064 Jan 16 23:41:34 2014 /usr/libexec/sendmail/sendmail +7791952 -r-xr-sr-x  1 root  smmsp        676064 Jun 26 06:30:49 2014 /usr/libexec/sendmail/sendmail  7707857 -r-sr-xr-x  1 root  wheel         32824 Jan 16 23:40:38 2014 /usr/libexec/ssh-keysign  7707853 -r-sr-xr-x  1 root  wheel          6000 Jan 16 23:40:05 2014 /usr/libexec/ulog-helper  8268343 -r-sr-xr-x  1 root 
wheel       1819872 Apr 15 05:47:39 2014 /usr/local/bin/Xorg +8269540 -rwxr-sr-x  1 root  wheel         18064 Jun 26 06:34:34 2014 /usr/local/bin/lockfile  8266420 -rwxr-sr-x  1 root  mail          11392 Apr  6 12:40:12 2014 /usr/local/bin/mutt_dotlock  8268183 -rwsr-xr-x  1 root  wheel         20072 Apr 15 05:43:54 2014 /usr/local/bin/pkexec -8268086 -rwsr-x---  1 root  messagebus   280784 Apr 15 05:41:41 2014 /usr/local/libexec/dbus-daemon-launch-helper +8269542 -rwsr-sr-x  1 root  wheel         98224 Jun 26 06:34:34 2014 /usr/local/bin/procmail +8269658 -rwsr-x---  1 root  messagebus   270896 Jul  1 12:14:01 2014 /usr/local/libexec/dbus-daemon-launch-helper  8268207 -rwsr-xr-x  1 root  wheel         12152 Apr 15 05:43:54 2014 /usr/local/libexec/polkit-agent-helper-1  8268125 -rwxr-sr-x  1 root  polkit        19736 Apr 15 05:42:07 2014 /usr/local/libexec/polkit-explicit-grant-helper 
8268126 -rwxr-sr-x  1 root  polkit        17712 Apr 15 05:42:07 2014 /usr/local/libexec/polkit-grant-helper @@ -47,6 +49,7 @@  8268129 -rwsr-xr-x  1 root  wheel          8472 Apr 15 05:42:07 2014 /usr/local/libexec/polkit-resolve-exe-helper  8268130 -rwxr-sr-x  1 root  polkit        21328 Apr 15 05:42:07 2014 /usr/local/libexec/polkit-revoke-helper  8268131 -rwsr-xr-x  1 root  polkit        22032 Apr 15 05:42:07 2014 /usr/local/libexec/polkit-set-default-helper +8269530 -r-xr-sr-x  1 root  ssmtp         32360 Jun 25 10:26:12 2014 /usr/local/sbin/ssmtp  7707669 -r-sr-sr-x  2 root  authpf        24160 Jan 16 23:41:18 2014 /usr/sbin/authpf  7707669 -r-sr-sr-x  2 root  authpf        24160 Jan 16 23:41:18 2014 /usr/sbin/authpf-noip  7707607 -r-xr-sr-x  1 root  daemon        55584 Jan 16 23:41:27 2014 /usr/sbin/lpc Checking negative group permissions: Checking for uids of 0: root 0 toor 0
Checking for passwordless accounts: Checking login.conf permissions: zork kernel log messages: +++ /tmp/security.GuJvYr8G        2014-08-07 03:11:32.000000000 +0200 +FreeBSD 10.0-RELEASE-p6 #0: Tue Jun 24 07:47:37 UTC 2014 +vgapci0: <VGA-compatible display> port 0x2220-0x2227 mem 0xf0100000-0xf017ffff,0xe0000000-0xefffffff,0xf0000000-0xf00fffff irq 16 at device 2.0 on pci0 +em0: <Intel(R) PRO/1000 Network Connection 7.3.8> port 0x2100-0x211f mem 0xf0180000-0xf019ffff,0xf01a4000-0xf01a4fff irq 19 at device 25.0 on pci0 +uhci0: <Intel 82801I (ICH9) USB controller> port 0x2120-0x213f irq 20 at device 26.0 on pci0 +uhci1: <Intel 82801I (ICH9) USB controller> port 0x2140-0x215f irq 21 at device 26.1 on pci0 +uhci2: <Intel 82801I (ICH9) USB controller> port 0x2160-0x217f irq 22 at device 26.2 on pci0 +uhci3: <Intel 82801I (ICH9) USB controller> port 0x2180-0x219f irq 20 at device 29.0 on pci0
+uhci4: <Intel 82801I (ICH9) USB controller> port 0x21a0-0x21bf irq 21 at device 29.1 on pci0 +em0: <Intel(R) PRO/1000 Legacy Network Connection 1.0.6> port 0x1100-0x113f mem 0xf0200000-0xf021ffff,0xf0220000-0xf023ffff irq 20 at device 4.0 on pci7 +em0: Ethernet address: 90:e2:ba:6a:c0:dc +atapci0: <Intel ICH9 SATA300 controller> port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0x21e0-0x21ef,0x21f0-0x21ff irq 18 at device 31.2 on pci0 +atapci1: <Intel ICH9 SATA300 controller> port 0x2238-0x223f,0x2250-0x2253,0x2240-0x2247,0x2254-0x2257,0x2200-0x220f,0x2210-0x221f irq 18 at device 31.5 on pci0 +Timecounter "TSC-low" frequency 1163772879 Hz quality 1000 +ugen3.2: <Western Digital> at usbus3 +ugen1.2: <Logitech> at usbus1 +ukbd0: <Logitech USB Receiver, class 0/0, rev 2.00/12.01, addr 2> on usbus1 +ums0: <Logitech USB Receiver, class 0/0, rev 2.00/12.01, addr 2> on usbus1 +uhid0: <Logitech USB
Receiver, class 0/0, rev 2.00/12.01, addr 2> on usbus1 zork login failures: zork refused connections: Checking for packages with security vulnerabilities: dbus-1.8.4 firefox-30.0_1,1 nss-3.16 -- End of security output --
Of course my main concern is if my system has been compromised. All inputs on the situation are greatly appreciated.

Kenneth Bernholm

More information about the freebsd-questions mailing list