Looks like I can relax and look for a modified solution for the SUID
comparisson. I was bitten by an irregularity in the LS command.. (See below)
Thank you all again for the prompt responses. I can cancel the order for
tranquilizers.
Gary B
BTW is anyone else running into this problem of doing a diff on the results
of a LS command?
At 01:28 PM 2/14/00 -0600, you wrote:
>Looks like you are getting bit by the ls(1) command. The way it behaves,
>is that anything older than a given time frame (typically six months) is
>displayed with a year, and anything younger is displayed with the time.
>Also Future dates are displayed with the year.
>
>If you are checking for date changes, you should probably have a perl
>script that can check the EPOCH date value, and also do things like
>MD5(1) checksums.
>
>There are a few freeware products out there that already do this type of
>stuff.
>
>Hope this helps.
>
>--
>Chris Riney E-mail: [EMAIL PROTECTED]
>Tandy Information Services
>Tandy Technology Sqr, Suite 200
>Fort Worth, TX 76102 Phone: 817/415-0308; 8:00am-5:00pm CST,Mo-Fr
>*** NOTICE: This in no way authorizes use of This E-mail address,
>*** or any mentioned in this message, to be included in any Mailing list!
>
>
> /"\
> \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML
> X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL
> / \
>
>"Baribault, Gary" <[EMAIL PROTECTED]> wrote:
> > Hi All,
> >
> > I have had an IPChains firewall up a customer's site for a while
> > and run David Ranch's sendlogs every night. When I first set up I logged
> > all the SUID programs to a file and the sendlogs compares them every
> night.
> > I later updated traceroute from Red Hat's site (I am running on RH6.1) and
> > from then on I got a warning every night aboout traceroute having been
> > changed. I recently came across the following saying that rcp, rlogin and
> > rsh had changed. I went in and deleted the three executables since I dont
> > use them, I also changed the root password and could not find anything
> > else. then this weekend I find that at, lockfile, procmail and su have
> > changed. I dont get it!! I am running very few daemons on the
> > machine, have locked down the ports quite tight, and only port forward
> > http, telnet, ftp and smtp to other machines! I think I will have to
> > rebuild the machine .. how did they get in? I am not running apm, bind, or
> > any other vulnerable daemons.. is ATD vulnerable from remote attack?
> >
> > Gary B
> >
> >
> > >Date: Thu, 27 Jan 2000 04:03:08 -0500
> > >From: root <[EMAIL PROTECTED]>
> > >Subject: TrinityOS SUID results for Jan 26
> > >To: [EMAIL PROTECTED]
> > >
> > >15,17c15,17
> > >< 148416 16 -rwsr-xr-x 1 root root 14868 Jul 30 19:17
> > >/usr/bin/rcp
> > >< 148418 12 -rwsr-xr-x 1 root root 10708 Jul 30 19:17
> > >/usr/bin/rlogin
> > >< 148419 8 -rwsr-xr-x 1 root root 7908 Jul 30 19:17
> > >/usr/bin/rsh
> > >---
> > > > 148416 16 -rwsr-xr-x 1 root root 14868 Jul 30 1999
> > > /usr/bin/rcp
> > > > 148418 12 -rwsr-xr-x 1 root root 10708 Jul 30 1999
> > > /usr/bin/rlogin
> > > > 148419 8 -rwsr-xr-x 1 root root 7908 Jul 30 1999
> > > /usr/bin/rsh
> > >26c26
> > >< 83922 20 -rwsr-xr-x 1 root bin 16488 Jul 2 10:21
> > >/usr/sbin/traceroute
> > >---
> > > > 83922 20 -rwsr-xr-x 1 root bin 16488 Jul 2 1999
> > > /usr/sbin/traceroute
> >
> > Date: Fri, 11 Feb 2000 04:03:37 -0500
> > From: root <[EMAIL PROTECTED]>
> > Subject: TrinityOS SUID results for Feb 10
> > To: [EMAIL PROTECTED]
> > Message-id: <[EMAIL PROTECTED]>
> > MIME-version: 1.0
> > Content-type: TEXT/PLAIN; CHARSET=US-ASCII
> >
> > 15,17d14
> > < 148416 16 -rwsr-xr-x 1 root root 14868 Jul 30 19:17
> > /usr/bin/rcp
> > < 148418 12 -rwsr-xr-x 1 root root 10708 Jul 30 19:17
> > /usr/bin/rlogin
> > < 148419 8 -rwsr-xr-x 1 root root 7908 Jul 30 19:17
> > /usr/bin/rsh
> > 26d22
> > < 83922 20 -rwsr-xr-x 1 root bin 16488 Jul 2 10:21
> > /usr/sbin/traceroute
> >
> >
> > Date: Mon, 14 Feb 2000 04:02:51 -0500
> > From: root <[EMAIL PROTECTED]>
> > Subject: TrinityOS SUID results for Feb 13
> > To: [EMAIL PROTECTED]
> > Message-id: <[EMAIL PROTECTED]>
> > MIME-version: 1.0
> > Content-type: TEXT/PLAIN; CHARSET=US-ASCII
> >
> > 5c5
> > < 147677 36 -rwsr-xr-x 1 root root 33152 Aug 16 16:35
> > /usr/bin/at
> > ---
> > > 147677 36 -rwsr-xr-x 1 root root 33152 Aug 16 1999
> > /usr/bin/at
> > 13,17c13,14
> > < 148392 12 -rwxr-sr-x 1 root mail 12072 Aug 16 14:57
> > /usr/bin/lockfile
> > < 148394 72 -rwsr-sr-x 1 root mail 69556 Aug 16 14:57
> > /usr/bin/procmail
> > < 148416 16 -rwsr-xr-x 1 root root 14868 Jul 30 19:17
> > /usr/bin/rcp
> > < 148418 12 -rwsr-xr-x 1 root root 10708 Jul 30 19:17
> > /usr/bin/rlogin
> > < 148419 8 -rwsr-xr-x 1 root root 7908 Jul 30 19:17
> > /usr/bin/rsh
> > ---
> > > 148392 12 -rwxr-sr-x 1 root mail 12072 Aug 16 1999
> > /usr/bin/lockfile
> > > 148394 72 -rwsr-sr-x 1 root mail 69556 Aug 16 1999
> > /usr/bin/procmail
> > 26d22
> > < 83922 20 -rwsr-xr-x 1 root bin 16488 Jul 2 10:21
> > /usr/sbin/traceroute
> > 28c24
> > < 115329 16 -rwsr-xr-x 1 root root 14124 Aug 17 22:31
> /bin/su
> > ---
> > > 115329 16 -rwsr-xr-x 1 root root 14124 Aug 17 1999
> /bin/su
> >
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
