Prolog: Running Debian Potato 2.2 r2 with most recent security updates from the security servers. *Any* suggestions or comments welcome.
I was checking my RADIUS server logs...just for the fun of it :-) and came across this in my setuid.changes line: *********************************************** radius changes to setuid programs and devices: --- setuid.today Fri Mar 23 00:05:34 2001 +++ /var/log/setuid.new.tmp Sat Mar 24 00:06:07 2001 @@ -1,10 +1,10 @@ - 81 4755 1 root root 5668 Fri Jan 12 04:59:29 2001 /usr/lib/pt_chown 137 4755 1 root root 36188 Fri Jan 12 20:27:58 2001 /bin/login 138 4755 1 root root 23420 Fri Jan 12 20:27:58 2001 /bin/su 139 4755 1 root root 65404 Fri Jan 12 20:27:58 2001 /bin/mount 140 4755 1 root root 36572 Fri Jan 12 20:27:58 2001 /bin/umount 141 4755 1 root root 14896 Fri Jan 12 20:27:58 2001 /bin/ping 143 4755 1 root root 13808 Fri Jan 12 20:27:58 2001 /bin/ping6 + 147 4755 1 root root 5668 Mon Jan 15 15:06:47 2001 /usr/lib/pt_chown 2088 666 1 root root 0 Fri Jan 12 20:51:00 2001 /dev/null 2089 640 1 root kmem 0 Fri Jan 12 20:51:00 2001 /dev/kmem 2092 666 1 root root 0 Fri Jan 12 20:51:01 2001 /dev/zero @@ -810,10 +810,10 @@ 2898 666 1 root tty 0 Wed Jul 5 12:43:52 2000 /dev/tty7 2899 600 1 root root 0 Wed Jul 5 12:43:53 2000 /dev/vcs7 2900 600 1 root root 0 Wed Jul 5 12:43:53 2000 /dev/vcsa7 - 2901 666 1 root tty 0 Fri Mar 23 00:05:01 2001 /dev/tty8 + 2901 666 1 root tty 0 Sat Mar 24 00:05:01 2001 /dev/tty8 2902 600 1 root root 0 Wed Jul 5 12:43:53 2000 /dev/vcs8 2903 600 1 root root 0 Wed Jul 5 12:43:53 2000 /dev/vcsa8 - 2904 666 1 root tty 0 Fri Mar 23 00:05:01 2001 /dev/tty9 + 2904 666 1 root tty 0 Sat Mar 24 00:05:01 2001 /dev/tty9 2905 600 1 root root 0 Wed Jul 5 12:43:53 2000 /dev/vcs9 2906 600 1 root root 0 Wed Jul 5 12:43:53 2000 /dev/vcsa9 2907 666 1 root tty 0 Wed Jul 5 12:43:53 2000 /dev/tty10 @@ -4122,7 +4122,6 @@ 29236 4755 1 root root 25692 Fri Jan 12 20:27:47 2001 /usr/bin/passwd 29384 4755 1 root root 34480 Mon Apr 3 06:57:46 2000 /usr/bin/at 29415 2755 1 root tty 10004 Tue Jul 18 10:03:22 2000 /usr/bin/write - 29501 2755 1 root mail 65660 Tue Aug 8 14:08:47 2000 /usr/bin/mail 30703 2755 1 root mail 8288 Mon Jun 21 12:48:03 1999 /usr/bin/dotlockfile 30707 2755 1 root mail 6212 Fri Sep 24 18:47:00 1999 /usr/bin/mail-lock 31232 4755 2 root root 536236 Sun Apr 30 11:14:04 2000 /usr/bin/sperl5.00503 ************************************************ All of the previous setuid.changes.x (going back to 6) log files only have the /dev/ttyxx and /dev/vcsxx files listed. This gives me great pause. I checked the setuid.today and the setuid.yesterday and they both read the same. I can list those if necessary and requested, but I've check them over and over and *every* line is the same. Not to mention the fact that I haven't installed or updated anything with regard to login, password, mount, etc. The question is this; Has the checksecurity program lost it's mind, or have I been breached? This server is exposed at our firewall for only the radius related ports and those coming from specific IP addresses. I understand that IP's can be spoofed, so that isn't completely secure, but better than nothing. Is there anything that I can check to start seeing if I've been hacked? Any way to check what might be going on? Has anyone seen anything like this? Please help!