*BSD News Article 88465


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!lucy.swin.edu.au!news.rmit.EDU.AU!news.unimelb.EDU.AU!munnari.OZ.AU!spool.mu.edu!newspump.sol.net!howland.erols.net!newsfeed.internetmci.com!katbert.ipa.net!keyhole.west.spy.net!bleu.west.spy.net!dustin
From: dustin@bleu.west.spy.net. (Dustin Sallings)
Newsgroups: comp.unix.bsd.bsdi.misc
Subject: Re: Daily Insecurity - Sudden Change
Date: 5 Feb 1997 00:21:50 GMT
Organization: Silicon Graphics, Inc.  Mountain View, CA
Lines: 23
Message-ID: <5d8jqu$ql9$1@keyhole.west.spy.net>
References: <5d7kf4$1nl@eirene.wingnet.net>
NNTP-Posting-Host: bleu.west.spy.net
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.bsdi.misc:5894


In article <5d7kf4$1nl@eirene.wingnet.net>, CRAIG@wingnet.net writes:
> In today's report, there were several files that reported like the following:
> 
> Setuid changes:
> -r-s--x---  2  uucp      117       28672  Jan  1   16:40:34  1996 /usr/bin/cu
> -r-s--x---  2  uucp      dialer    28672  Jan  1   16:40:34  1996 /usr/bin/cu
> -r-sr-x---  1  root      118       24576  Jan  1   16:39:56  1996 /usr/bin/ppp
> -r-sr-x---  1  root      netdial   24576  Jan  1   16:39:56  1996 /usr/bin/ppp
> 
> I know that I didn't change them, but they also are files that aren't even 
> used on the system.
> 
> Why would they show setuid changes all of a sudden?  Has anyone else 
> experienced this?

	It looks like you've been editing /etc/group

--
IPA.net Sysadmin         My girlfriend asked me which one I like better.
pub  1024/3CAE01D5 1994/11/03 Dustin Sallings <dustin@spy.net>
|    Key fingerprint =  87 02 57 08 02 D0 DA D6  C8 0F 3E 65 51 98 D8 BE 
L_______________________ I hope the answer won't upset her. ____________