setuid diffs in daily security run output

[Raimund Sacherer]

Hello, 

This is one of our first FreeBSD servers we use, and I be rather safe than sorry, we put in production a FreeBSD 10.0 system and it is running (in production) a couple of weeks now. Reading the security run emails today i noticed a lot of those: 

--- snip --- 
- 587 -r-sr-xr-x 1 root wheel 19912 Jan 16 22:40:07 2014 /bin/rcp 
- 511 -r-sr-x--- 1 root operator 9880 Jan 16 22:40:33 2014 /sbin/mksnap_ffs 
- 471 -r-sr-xr-x 1 root wheel 28024 Jan 16 22:40:34 2014 /sbin/ping 
- 546 -r-sr-xr-x 1 root wheel 36496 Jan 16 22:40:34 2014 /sbin/ping6 
- 528 -r-sr-x--- 2 root operator 15656 Jan 16 22:40:34 2014 /sbin/poweroff 
- 528 -r-sr-x--- 2 root operator 15656 Jan 16 22:40:34 2014 /sbin/shutdown 
- 672 -r-sr-xr-x 4 root wheel 28528 Jan 16 22:41:00 2014 /usr/bin/at 
- 672 -r-sr-xr-x 4 root wheel 28528 Jan 16 22:41:00 2014 /usr/bin/atq 
--- snip --- 

I did not see those messages before, but I do read normally those mails. 

So I checked with stat: 


File: "/bin/rcp" 

Size: 19912 FileType: Regular File 

Mode: (4555/-r-sr-xr-x) Uid: ( 0/ root) Gid: ( 0/ wheel) 

Device: 71,202637507 Inode: 587 Links: 1 

Access: Thu Jan 16 23:40:07 2014 

Modify: Thu Jan 16 23:40:07 2014 

Change: Fri Aug 1 18:15:30 2014 

But there are no strange modifications recently ... 

How come those messages are today in the security output? Are those permissions correct? Should I be worried about an intruder? 

Best 
Ray