Anyone know why the following files would occasionally show up in the
security check as "removed suid root file" and "added suid root file"?
/usr/X11R6/bin/xman
/usr/X11R6/bin/xlock
/usr/bin/Wnn4/jserver
They also (today at least) show up with different checksums. I have had this
happen maybe 5 times now, always with these specific files. At first, I
thought a cracker might be responsible and did a full reinstall. But then it
happened within a few hours of the re-install, when the machine had spent
less that an hour connected to the intranet (internet access is through
another machine).
I have no idea why or how these files could have been modified, and jserver
at least seems an unusual choice for a backdoor (since you are unlikely to
find it on too many machines).
Anyone else seeing this kind of thing?
--
Chris and Yoshiko Spackman
[EMAIL PROTECTED] (English)
[EMAIL PROTECTED] (Japanese)
www.openhistory.org
"I will not be pushed, filed, stamped, indexed, briefed, debriefed, or
numbered. My life is my own."
-The Prisoner
