Looks like I can relax and look for a modified solution for the SUID 
comparisson. I was bitten by an irregularity in the LS command.. (See below)

Thank you all again for the prompt responses. I can cancel the order for 
tranquilizers.

Gary B

BTW is anyone else running into this problem of doing a diff on the results 
of a LS command?

At 01:28 PM 2/14/00 -0600, you wrote:
>Looks like you are getting bit by the ls(1) command.  The way it behaves,
>is that anything older than a given time frame (typically six months) is
>displayed with a year, and anything younger is displayed with the time.
>Also Future dates are displayed with the year.
>
>If you are checking for date changes, you should probably have a perl
>script that can check the EPOCH date value, and also do things like
>MD5(1) checksums.
>
>There are a few freeware products out there that already do this type of
>stuff.
>
>Hope this helps.
>
>--
>Chris Riney                     E-mail: [EMAIL PROTECTED]
>Tandy Information Services
>Tandy Technology Sqr, Suite 200
>Fort Worth, TX 76102             Phone: 817/415-0308; 8:00am-5:00pm CST,Mo-Fr
>*** NOTICE: This in no way authorizes use of This E-mail address,
>***   or any mentioned in this message, to be included in any Mailing list!
>
>
>   /"\
>   \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML
>    X  ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL
>   / \
>
>"Baribault, Gary" <[EMAIL PROTECTED]> wrote:
> > Hi All,
> >
> >          I have had an IPChains firewall up a customer's site for a while
> > and run David Ranch's sendlogs every night. When I first set up I logged
> > all the SUID programs to a file and the sendlogs compares them every 
> night.
> > I later updated traceroute from Red Hat's site (I am running on RH6.1) and
> > from then on I got a warning every night aboout traceroute having been
> > changed. I recently came across the following saying that rcp, rlogin and
> > rsh had changed. I went in and deleted the three executables since I dont
> > use them, I also changed the root password and could not find anything
> > else. then this weekend I find that at, lockfile, procmail and su have
> > changed. I dont get it!! I am running very few daemons on the
> > machine,   have locked down the ports quite tight, and only port forward
> > http, telnet, ftp and smtp to other machines! I think I will have to
> > rebuild the machine .. how did they get in? I am not running apm, bind, or
> > any other vulnerable daemons.. is ATD vulnerable from remote attack?
> >
> > Gary B
> >
> >
> > >Date: Thu, 27 Jan 2000 04:03:08 -0500
> > >From: root <[EMAIL PROTECTED]>
> > >Subject: TrinityOS SUID results for Jan 26
> > >To: [EMAIL PROTECTED]
> > >
> > >15,17c15,17
> > >< 148416   16 -rwsr-xr-x   1 root     root        14868 Jul 30 19:17
> > >/usr/bin/rcp
> > >< 148418   12 -rwsr-xr-x   1 root     root        10708 Jul 30 19:17
> > >/usr/bin/rlogin
> > >< 148419    8 -rwsr-xr-x   1 root     root         7908 Jul 30 19:17
> > >/usr/bin/rsh
> > >---
> > > > 148416   16 -rwsr-xr-x   1 root     root        14868 Jul 30  1999
> > > /usr/bin/rcp
> > > > 148418   12 -rwsr-xr-x   1 root     root        10708 Jul 30  1999
> > > /usr/bin/rlogin
> > > > 148419    8 -rwsr-xr-x   1 root     root         7908 Jul 30  1999
> > > /usr/bin/rsh
> > >26c26
> > ><  83922   20 -rwsr-xr-x   1 root     bin         16488 Jul  2 10:21
> > >/usr/sbin/traceroute
> > >---
> > > >  83922   20 -rwsr-xr-x   1 root     bin         16488 Jul  2  1999
> > > /usr/sbin/traceroute
> >
> > Date: Fri, 11 Feb 2000 04:03:37 -0500
> > From: root <[EMAIL PROTECTED]>
> > Subject: TrinityOS SUID results for Feb 10
> > To: [EMAIL PROTECTED]
> > Message-id: <[EMAIL PROTECTED]>
> > MIME-version: 1.0
> > Content-type: TEXT/PLAIN; CHARSET=US-ASCII
> >
> > 15,17d14
> > < 148416   16 -rwsr-xr-x   1 root     root        14868 Jul 30 19:17
> > /usr/bin/rcp
> > < 148418   12 -rwsr-xr-x   1 root     root        10708 Jul 30 19:17
> > /usr/bin/rlogin
> > < 148419    8 -rwsr-xr-x   1 root     root         7908 Jul 30 19:17
> > /usr/bin/rsh
> > 26d22
> > <  83922   20 -rwsr-xr-x   1 root     bin         16488 Jul  2 10:21
> > /usr/sbin/traceroute
> >
> >
> > Date: Mon, 14 Feb 2000 04:02:51 -0500
> > From: root <[EMAIL PROTECTED]>
> > Subject: TrinityOS SUID results for Feb 13
> > To: [EMAIL PROTECTED]
> > Message-id: <[EMAIL PROTECTED]>
> > MIME-version: 1.0
> > Content-type: TEXT/PLAIN; CHARSET=US-ASCII
> >
> > 5c5
> > < 147677   36 -rwsr-xr-x   1 root     root        33152 Aug 16 16:35
> > /usr/bin/at
> > ---
> >  > 147677   36 -rwsr-xr-x   1 root     root        33152 Aug 16  1999
> > /usr/bin/at
> > 13,17c13,14
> > < 148392   12 -rwxr-sr-x   1 root     mail        12072 Aug 16 14:57
> > /usr/bin/lockfile
> > < 148394   72 -rwsr-sr-x   1 root     mail        69556 Aug 16 14:57
> > /usr/bin/procmail
> > < 148416   16 -rwsr-xr-x   1 root     root        14868 Jul 30 19:17
> > /usr/bin/rcp
> > < 148418   12 -rwsr-xr-x   1 root     root        10708 Jul 30 19:17
> > /usr/bin/rlogin
> > < 148419    8 -rwsr-xr-x   1 root     root         7908 Jul 30 19:17
> > /usr/bin/rsh
> > ---
> >  > 148392   12 -rwxr-sr-x   1 root     mail        12072 Aug 16  1999
> > /usr/bin/lockfile
> >  > 148394   72 -rwsr-sr-x   1 root     mail        69556 Aug 16  1999
> > /usr/bin/procmail
> > 26d22
> > <  83922   20 -rwsr-xr-x   1 root     bin         16488 Jul  2 10:21
> > /usr/sbin/traceroute
> > 28c24
> > < 115329   16 -rwsr-xr-x   1 root     root        14124 Aug 17 22:31 
> /bin/su
> > ---
> >  > 115329   16 -rwsr-xr-x   1 root     root        14124 Aug 17  1999 
> /bin/su
> >
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to