As a matter of fact, /bin/mount _is_ installed suid. don't know about the rest,
but I'll check the filelist in a few minutes after I shifted trough all of my
emails from the weekend. a possible scenario is that the user hasn't been
hacked, but that the security database somehow got corrupted, therefore seized
to exist of was unreadable, hence the security update had nothing to compare
against, and each suid program was a "new" suid program. Other possible
scanario: it's the first time this program ran, and it had no previous database,
resulting in more or less the same situation as above. Third possible
scenario: user just changed security levels, in the old security level the
security update wasn't sheduled, in this one it was, the rest is the same as the
previous scenario.
You know the saying about bad memories, right? "The great thing about a bad
memory is that you can get amazed time after time about the same old
things..." (or something along those lines). Well, it applies to this situation
very well.
Before assuming the worst (which when it comes to security issues is a very good
reaction), check, and rule out other possibillities first. If I got a nickel for
every time the computer thought the end of the world was near, I'd be sporting a
big 'ole bag full o' nickles and a truckload of bubble-gum by now ;-)
On Apr 24 [EMAIL PROTECTED] wrote:
> Ron, re-read the message. It specifically says that file the shouldn't be suid
> have been changed to suid since the last scan.
>
> For instance, mount, su, and umount should never be suid. They aren't installed
> that way, so "something" had to change them.
>
> Even if it wasn't a hack job, there are many security holes here. I wouldn't want
> to have that system anywhere near a public network until it's fixed.
>
> Russ
>
> Ron Stodden wrote:
>
> > Andrew Vogel wrote:
> > >
> > > I woke up this morning to find this email in my system:
> >
> > ...
> >
> > > I've been hacked! The questions, now, are: 1. How do I fix this? and 2. How
> > to I prevent it from happening again?
> >
> > No you haven't! This is just the periodic report done on your
> > system security by your own msec (man msec). I have not seen it as
> > an email before, only as /var/log/messages messages, so msec must
> > consider the situation serious.
> >
> > It is telling you what needs to be done to bring your security up to
> > snuff so that you can't be hacked.
> >
> > --
> >
> > Regards,
> >
> > Ron. [AU] - sent by Linux.
>
--
Rial Juan <http://nighty.ulyssis.org>
e-mail: [EMAIL PROTECTED]
Belgium tel: (++32) 89/856533
ulyssis system admininstrator <http://www.ulyssis.org>
The little critters in nature; they don't know they're ugly.
That's very funny... A fly marying a bumble-bee...
------------------------------------------------------------
Sign the petition at http://www.libranet.com/petition.html
Help bring us more Linux Drivers
