Fwd: TrinityOS SUID results for Jan 26

Baribault, Gary Mon, 14 Feb 2000 09:37:35 -0800
Hi All,

         I have had an IPChains firewall up a customer's site for a while 
and run David Ranch's sendlogs every night. When I first set up I logged 
all the SUID programs to a file and the sendlogs compares them every night. 
I later updated traceroute from Red Hat's site (I am running on RH6.1) and 
from then on I got a warning every night aboout traceroute having been 
changed. I recently came across the following saying that rcp, rlogin and 
rsh had changed. I went in and deleted the three executables since I dont 
use them, I also changed the root password and could not find anything 
else. then this weekend I find that at, lockfile, procmail and su have 
changed. I dont get it!! I am running very few daemons on the 
machine,   have locked down the ports quite tight, and only port forward 
http, telnet, ftp and smtp to other machines! I think I will have to 
rebuild the machine .. how did they get in? I am not running apm, bind, or 
any other vulnerable daemons.. is ATD vulnerable from remote attack?

Gary B


>Date: Thu, 27 Jan 2000 04:03:08 -0500
>From: root <[EMAIL PROTECTED]>
>Subject: TrinityOS SUID results for Jan 26
>To: [EMAIL PROTECTED]
>
>15,17c15,17
>< 148416   16 -rwsr-xr-x   1 root     root        14868 Jul 30 19:17 
>/usr/bin/rcp
>< 148418   12 -rwsr-xr-x   1 root     root        10708 Jul 30 19:17 
>/usr/bin/rlogin
>< 148419    8 -rwsr-xr-x   1 root     root         7908 Jul 30 19:17 
>/usr/bin/rsh
>---
> > 148416   16 -rwsr-xr-x   1 root     root        14868 Jul 30  1999 
> /usr/bin/rcp
> > 148418   12 -rwsr-xr-x   1 root     root        10708 Jul 30  1999 
> /usr/bin/rlogin
> > 148419    8 -rwsr-xr-x   1 root     root         7908 Jul 30  1999 
> /usr/bin/rsh
>26c26
><  83922   20 -rwsr-xr-x   1 root     bin         16488 Jul  2 10:21 
>/usr/sbin/traceroute
>---
> >  83922   20 -rwsr-xr-x   1 root     bin         16488 Jul  2  1999 
> /usr/sbin/traceroute

Date: Fri, 11 Feb 2000 04:03:37 -0500
From: root <[EMAIL PROTECTED]>
Subject: TrinityOS SUID results for Feb 10
To: [EMAIL PROTECTED]
Message-id: <[EMAIL PROTECTED]>
MIME-version: 1.0
Content-type: TEXT/PLAIN; CHARSET=US-ASCII

15,17d14
< 148416   16 -rwsr-xr-x   1 root     root        14868 Jul 30 19:17 
/usr/bin/rcp
< 148418   12 -rwsr-xr-x   1 root     root        10708 Jul 30 19:17 
/usr/bin/rlogin
< 148419    8 -rwsr-xr-x   1 root     root         7908 Jul 30 19:17 
/usr/bin/rsh
26d22
<  83922   20 -rwsr-xr-x   1 root     bin         16488 Jul  2 10:21 
/usr/sbin/traceroute


Date: Mon, 14 Feb 2000 04:02:51 -0500
From: root <[EMAIL PROTECTED]>
Subject: TrinityOS SUID results for Feb 13
To: [EMAIL PROTECTED]
Message-id: <[EMAIL PROTECTED]>
MIME-version: 1.0
Content-type: TEXT/PLAIN; CHARSET=US-ASCII

5c5
< 147677   36 -rwsr-xr-x   1 root     root        33152 Aug 16 16:35 
/usr/bin/at
---
 > 147677   36 -rwsr-xr-x   1 root     root        33152 Aug 16  1999 
/usr/bin/at
13,17c13,14
< 148392   12 -rwxr-sr-x   1 root     mail        12072 Aug 16 14:57 
/usr/bin/lockfile
< 148394   72 -rwsr-sr-x   1 root     mail        69556 Aug 16 14:57 
/usr/bin/procmail
< 148416   16 -rwsr-xr-x   1 root     root        14868 Jul 30 19:17 
/usr/bin/rcp
< 148418   12 -rwsr-xr-x   1 root     root        10708 Jul 30 19:17 
/usr/bin/rlogin
< 148419    8 -rwsr-xr-x   1 root     root         7908 Jul 30 19:17 
/usr/bin/rsh
---
 > 148392   12 -rwxr-sr-x   1 root     mail        12072 Aug 16  1999 
/usr/bin/lockfile
 > 148394   72 -rwsr-sr-x   1 root     mail        69556 Aug 16  1999 
/usr/bin/procmail
26d22
<  83922   20 -rwsr-xr-x   1 root     bin         16488 Jul  2 10:21 
/usr/sbin/traceroute
28c24
< 115329   16 -rwsr-xr-x   1 root     root        14124 Aug 17 22:31 /bin/su
---
 > 115329   16 -rwsr-xr-x   1 root     root        14124 Aug 17  1999 /bin/su


-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
Fwd: TrinityOS SUID results for Jan 26

Reply via email to
