On Sat, Aug 09, 2003 at 10:47:27PM -0700, Ken Bloom wrote: > Sometime in the past few days, my modem /dev/ttyS4 changed its > permissions from 660 to 640 without my intervention. My first question: > is there any kind of security package on debian that might have done > this as a cronjob? I don't use devfs. > > When asking on #debian, a user suggested that I check my logs to see if > I had been hacked.
*sigh* Such a typical #debian knee-jerk response. Why would a cracker want to reduce the permissions on a device, and a fairly innocuous one at that? By a single bit? Don't panic; this is vanishingly unlikely and you definitely shouldn't go off and reinstall on the word of somebody on IRC who gives that answer to everything out of the ordinary. > I found in /var/logs/auth.log that the command `su` had been run to > switch from user `root` to user `nobody` at 3:35 this morning, That's a standard cron job reducing privileges in a slightly noisy way. Don't worry about it. I have no specific suggestions, unfortunately, but if I were you, I'd start grepping for 'ttyS' in /etc and start there. Assuming you haven't changed the permissions back, you could also install the 'stat' package, type 'stat /dev/ttyS4', and look at the "Change:" line; that'll tell you when the change happened, and perhaps you could use that time to isolate a particular cron job (or at least a particular class of cron jobs - see /etc/crontab or /etc/anacrontab). If you have changed them back, then wait until it happens again - since it probably will - and start investigating then. > please cc: me as I am not subscribed to this high-volume mailing list If you could include an appropriate Mail-Followup-To: header so that some people's mailers will do that automatically, it would be helpful. Cheers, -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
