Looks like you are getting bit by the ls(1) command. The way it behaves,
is that anything older than a given time frame (typically six months) is
displayed with a year, and anything younger is displayed with the time.
Also Future dates are displayed with the year.
If you are checking for date changes, you should probably have a perl
script that can check the EPOCH date value, and also do things like
MD5(1) checksums.
There are a few freeware products out there that already do this type of
stuff.
Hope this helps.
--
Chris Riney E-mail: [EMAIL PROTECTED]
Tandy Information Services
Tandy Technology Sqr, Suite 200
Fort Worth, TX 76102 Phone: 817/415-0308; 8:00am-5:00pm CST,Mo-Fr
*** NOTICE: This in no way authorizes use of This E-mail address,
*** or any mentioned in this message, to be included in any Mailing list!
/"\
\ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML
X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL
/ \
"Baribault, Gary" <[EMAIL PROTECTED]> wrote:
> Hi All,
>
> I have had an IPChains firewall up a customer's site for a while
> and run David Ranch's sendlogs every night. When I first set up I logged
> all the SUID programs to a file and the sendlogs compares them every night.
> I later updated traceroute from Red Hat's site (I am running on RH6.1) and
> from then on I got a warning every night aboout traceroute having been
> changed. I recently came across the following saying that rcp, rlogin and
> rsh had changed. I went in and deleted the three executables since I dont
> use them, I also changed the root password and could not find anything
> else. then this weekend I find that at, lockfile, procmail and su have
> changed. I dont get it!! I am running very few daemons on the
> machine, have locked down the ports quite tight, and only port forward
> http, telnet, ftp and smtp to other machines! I think I will have to
> rebuild the machine .. how did they get in? I am not running apm, bind, or
> any other vulnerable daemons.. is ATD vulnerable from remote attack?
>
> Gary B
>
>
> >Date: Thu, 27 Jan 2000 04:03:08 -0500
> >From: root <[EMAIL PROTECTED]>
> >Subject: TrinityOS SUID results for Jan 26
> >To: [EMAIL PROTECTED]
> >
> >15,17c15,17
> >< 148416 16 -rwsr-xr-x 1 root root 14868 Jul 30 19:17
> >/usr/bin/rcp
> >< 148418 12 -rwsr-xr-x 1 root root 10708 Jul 30 19:17
> >/usr/bin/rlogin
> >< 148419 8 -rwsr-xr-x 1 root root 7908 Jul 30 19:17
> >/usr/bin/rsh
> >---
> > > 148416 16 -rwsr-xr-x 1 root root 14868 Jul 30 1999
> > /usr/bin/rcp
> > > 148418 12 -rwsr-xr-x 1 root root 10708 Jul 30 1999
> > /usr/bin/rlogin
> > > 148419 8 -rwsr-xr-x 1 root root 7908 Jul 30 1999
> > /usr/bin/rsh
> >26c26
> >< 83922 20 -rwsr-xr-x 1 root bin 16488 Jul 2 10:21
> >/usr/sbin/traceroute
> >---
> > > 83922 20 -rwsr-xr-x 1 root bin 16488 Jul 2 1999
> > /usr/sbin/traceroute
>
> Date: Fri, 11 Feb 2000 04:03:37 -0500
> From: root <[EMAIL PROTECTED]>
> Subject: TrinityOS SUID results for Feb 10
> To: [EMAIL PROTECTED]
> Message-id: <[EMAIL PROTECTED]>
> MIME-version: 1.0
> Content-type: TEXT/PLAIN; CHARSET=US-ASCII
>
> 15,17d14
> < 148416 16 -rwsr-xr-x 1 root root 14868 Jul 30 19:17
> /usr/bin/rcp
> < 148418 12 -rwsr-xr-x 1 root root 10708 Jul 30 19:17
> /usr/bin/rlogin
> < 148419 8 -rwsr-xr-x 1 root root 7908 Jul 30 19:17
> /usr/bin/rsh
> 26d22
> < 83922 20 -rwsr-xr-x 1 root bin 16488 Jul 2 10:21
> /usr/sbin/traceroute
>
>
> Date: Mon, 14 Feb 2000 04:02:51 -0500
> From: root <[EMAIL PROTECTED]>
> Subject: TrinityOS SUID results for Feb 13
> To: [EMAIL PROTECTED]
> Message-id: <[EMAIL PROTECTED]>
> MIME-version: 1.0
> Content-type: TEXT/PLAIN; CHARSET=US-ASCII
>
> 5c5
> < 147677 36 -rwsr-xr-x 1 root root 33152 Aug 16 16:35
> /usr/bin/at
> ---
> > 147677 36 -rwsr-xr-x 1 root root 33152 Aug 16 1999
> /usr/bin/at
> 13,17c13,14
> < 148392 12 -rwxr-sr-x 1 root mail 12072 Aug 16 14:57
> /usr/bin/lockfile
> < 148394 72 -rwsr-sr-x 1 root mail 69556 Aug 16 14:57
> /usr/bin/procmail
> < 148416 16 -rwsr-xr-x 1 root root 14868 Jul 30 19:17
> /usr/bin/rcp
> < 148418 12 -rwsr-xr-x 1 root root 10708 Jul 30 19:17
> /usr/bin/rlogin
> < 148419 8 -rwsr-xr-x 1 root root 7908 Jul 30 19:17
> /usr/bin/rsh
> ---
> > 148392 12 -rwxr-sr-x 1 root mail 12072 Aug 16 1999
> /usr/bin/lockfile
> > 148394 72 -rwsr-sr-x 1 root mail 69556 Aug 16 1999
> /usr/bin/procmail
> 26d22
> < 83922 20 -rwsr-xr-x 1 root bin 16488 Jul 2 10:21
> /usr/sbin/traceroute
> 28c24
> < 115329 16 -rwsr-xr-x 1 root root 14124 Aug 17 22:31 /bin/su
> ---
> > 115329 16 -rwsr-xr-x 1 root root 14124 Aug 17 1999 /bin/su
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
