setuid diffs in daily security run output
Raimund Sacherer
rs at logitravel.com
Wed Feb 18 09:22:11 UTC 2015
Hello,
This is one of our first FreeBSD servers we use, and I be rather safe than sorry, we put in production a FreeBSD 10.0 system and it is running (in production) a couple of weeks now. Reading the security run emails today i noticed a lot of those:
--- snip ---
- 587 -r-sr-xr-x 1 root wheel 19912 Jan 16 22:40:07 2014 /bin/rcp
- 511 -r-sr-x--- 1 root operator 9880 Jan 16 22:40:33 2014 /sbin/mksnap_ffs
- 471 -r-sr-xr-x 1 root wheel 28024 Jan 16 22:40:34 2014 /sbin/ping
- 546 -r-sr-xr-x 1 root wheel 36496 Jan 16 22:40:34 2014 /sbin/ping6
- 528 -r-sr-x--- 2 root operator 15656 Jan 16 22:40:34 2014 /sbin/poweroff
- 528 -r-sr-x--- 2 root operator 15656 Jan 16 22:40:34 2014 /sbin/shutdown
- 672 -r-sr-xr-x 4 root wheel 28528 Jan 16 22:41:00 2014 /usr/bin/at
- 672 -r-sr-xr-x 4 root wheel 28528 Jan 16 22:41:00 2014 /usr/bin/atq
--- snip ---
I did not see those messages before, but I do read normally those mails.
So I checked with stat:
File: "/bin/rcp"
Size: 19912 FileType: Regular File
Mode: (4555/-r-sr-xr-x) Uid: ( 0/ root) Gid: ( 0/ wheel)
Device: 71,202637507 Inode: 587 Links: 1
Access: Thu Jan 16 23:40:07 2014
Modify: Thu Jan 16 23:40:07 2014
Change: Fri Aug 1 18:15:30 2014
But there are no strange modifications recently ...
How come those messages are today in the security output? Are those permissions correct? Should I be worried about an intruder?
Best
Ray
More information about the freebsd-questions
mailing list