i get these sort of messages everyday as follows: Apr 22 04:09:11 mycroft : Security Warning: Change in Suid Root files found : Apr 22 04:09:11 mycroft : - Added suid root files : /usr/X11R6/bin/Xwrapper Apr 22 04:09:11 mycroft : - Added suid root files : /usr/X11R6/bin/xmame.x11 Apr 22 04:09:11 mycroft : - Added suid root files : /usr/X11R6/bin/xmame.x11-68k Apr 22 04:09:11 mycroft : - Removed suid root files : /usr/X11R6/bin/xmame.x11 Apr 22 04:09:11 mycroft : - Removed suid root files : /usr/X11R6/bin/xmame.x11-68k Apr 22 04:09:11 mycroft : - Removed suid root files : /usr/X11R6/bin/Xwrapper ...............
Apr 22 04:09:11 mycroft : Apr 22 04:09:11 mycroft : Security Warning: the md5 checksum for one of your SUID files has changed, Apr 22 04:09:11 mycroft : maybe an intruder modified one of these suid binary in order to put in a backdoor... Apr 22 04:09:11 mycroft : - Checksum changed files : /usr/X11R6/bin/Xwrapper Apr 22 04:09:11 mycroft : - Checksum changed files : /usr/X11R6/bin/xmame.x11 Apr 22 04:09:11 mycroft : - Checksum changed files : /usr/X11R6/bin/xmame.x11-68k as you can see, these files are apparently 'changed' every day, this seems unlikely, i suspect some sort of loop by 'security' progs that keep undoing each others work, but i can't seem to find the offending progs, what i need to do ( i think) is to satisfy myself that everything is ok, and then 'tell' whatever progs are responsible for this loop that everything is ok and only tell me of actual changes, but not knowing the progs i don't know what config files they might have:-( i also get messages like this: Apr 21 15:01:05 mycroft msec: changed mode of /var/log/security/open_port.today from 644 to 640 everyday something changes the permissons to 644 and then msec (i assume) changes them back, i would like to track this down but i can't find any documentation that seems to describe mandrake specific tools like msec (it is lm specific?), #man msec is pretty brief, would i have avoided this state of affairs if i had clean installed to 8.2 instead of upgrading from 8.1? guidance or pointers gratefully received bascule On Sunday 21 Apr 2002 8:24 pm, you wrote: > On Sun Apr 21, 2002 at 11:01:50AM +0900, Gavin wrote: > > I did an update from a clean install (running Mandrake linux8.0) and this > > is what I got back the next morning. > > > > Security Warning: Change in Suid Root files found : > > - Added suid root files : /usr/lib/squid/pam_auth > > > > Security Warning: Changes in Suid Group files found : > > - Added suid group files : /usr/lib/squid/pam_auth > > - Removed suid group files : /usr/bin/gpg > > > If any of these files are *not* a part of a package you updated, then > you have cause for concern. If all of them are parts of packages you > updated with MU, then you shouldn't be worried. -- "Far out in the uncharted backwaters of the unfashionable end of the western spiral arm of the Galaxy lies a small unregarded yellow sun. "
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
