Bugtraq mailing list archives

Strange changes - any ideas?

From: fc () all net (Fred Cohen)
Date: Sat, 8 Jun 1996 09:47:48 -0400

We run a change-controlled environment, which means that we should be
aware of all changes.  To crosscheck this, we regularly do automated
change detection.  This morning, I made some minor changes to some user
areas and ran the change control checks only to find the changes listed
below. (Here are some select extracts)

        *** '/bin/newgrp' has changed as follows:
           The contents (md5 checksum) changed. Any change in content can trigger this.

Note that while the content changed, none of the times changed,
the space remained the same, etc.

        *** '/etc/motd' has changed as follows:
           The size changed. This indicates an addition or removal.
           The modification time changed. This indicates a file edit or similar change.
           The status change time changed. Any change should trigger this.
           The content did not change! This could be the result of a reboot or a crash.

Here's one where everything indicates a change, but the content is
unchanged! Sort of hard to believe - there were several of these.

These changes would normally indicate a massive corruption, a disk
crash, total system collapse, or takeover by bad-people.  I checked the
log files that would indicate any intrusions and found nothing to
indicate any out-of-the-ordinary usage.  I found an apparent file in a
directory listing - but when I tried to see it, it did not actually
exist.  I did a cat of /etc/motd (described above) and found that it had
a partial syslog entry appended to it - very strange stuf considering
that the MD5 checksum was unchanged!

Within a few minutes, I rebooted the system.  When it came back up, I
ran a complete check again, only to find NONE of these changes! I
suspect some sort of memory cache problem but wanted to get some other
opinions.

The security implications? Good gracious.  During a corruption such as
this I could have (I actually did at one point) modify files that should
not have been accessible to me - apparently because permissions were
also corrupt (as cached?).  System: SunOS on a Sun 4/330.

Just so we all understand, here are some extracts of the things that
"unchanged" after reboot:

====================================================
Tracer Starting Engines on all.net by fc.
     Sat Jun  8 08:52:43 EDT 1996
The system type is SunOS Unix
Copyright (c), 1985-6 Management Analytics
          All Rights Reserved
====================================================

======>> Start:Checking for changes in system files.
Change control database found and being used.
Checking for changes in existing files.
Checking /var
Checking /bin
*** '/bin/newgrp' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/bin/login' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/bin/crontab' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/bin/atq' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/bin/atrm' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/bin/cu' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/bin/tip' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/bin/iostat' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/bin/ipcs' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/bin/lp' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/bin/lpstat' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/bin/cancel' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/bin/ypcat' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/bin/ypmatch' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/bin/yppasswd' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/bin/fusage' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/bin/nsquery' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/bin/uucp' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/bin/uulog' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/bin/uuname' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/bin/uupick' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/bin/uusend' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/bin/uustat' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/bin/uuto' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/bin/uux' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/bin/lpstat.FCS' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/bin/cancel.FCS' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/bin/mail.orig' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/bin/at.FCS' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/bin/lpstat.101434-01' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/bin/cancel.101434-01' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/bin/iostat.FCS' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/bin/login_orig' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/bin/rnews' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/bin/screen' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/bin/passwd.old' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
Checking /usr/bin
*** '/usr/bin/newgrp' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/bin/login' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/bin/crontab' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/bin/atq' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/usr/bin/atrm' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/usr/bin/cu' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/bin/tip' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/bin/iostat' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/usr/bin/ipcs' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/bin/lp' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/usr/bin/lpstat' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/bin/cancel' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/usr/bin/ypcat' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/bin/ypmatch' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/usr/bin/yppasswd' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/bin/fusage' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/bin/nsquery' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/bin/uucp' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/bin/uulog' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/bin/uuname' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/bin/uupick' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/bin/uusend' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/usr/bin/uustat' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/bin/uuto' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/bin/uux' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/bin/lpstat.FCS' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/usr/bin/cancel.FCS' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/bin/mail.orig' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/usr/bin/at.FCS' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/bin/lpstat.101434-01' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/bin/cancel.101434-01' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/bin/iostat.FCS' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/bin/login_orig' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/bin/rnews' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/bin/screen' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/usr/bin/passwd.old' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
Checking /usr/ucb
*** '/usr/ucb/lpr' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/usr/ucb/lpq' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/usr/ucb/lpq.FCS' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/ucb/vmstat' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/ucb/rdist' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/ucb/lpr.FCS' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/ucb/lprm.FCS' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/usr/ucb/lprm' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/ucb/lpr.101434-01' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/ucb/lprm.101434-01' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/ucb/lpq.101434-01' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
Checking /etc
*** '/etc/ld.so.cache' has changed as follows:
   The modification time changed. This indicates a file edit or similar change.
   The status change time changed. Any change should trigger this.
   The content did not change! This could be the result of a reboot or a crash.
*** '/etc/arp' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/etc/crash' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/etc/dkinfo' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/etc/dmesg' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/etc/dump' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/etc/ypbind.lock' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/etc/motd' has changed as follows:
   The size changed. This indicates an addition or removal.
   The modification time changed. This indicates a file edit or similar change.
   The status change time changed. Any change should trigger this.
   The content did not change! This could be the result of a reboot or a crash.
*** '/etc/mtab' has changed as follows:
   The modification time changed. This indicates a file edit or similar change.
   The status change time changed. Any change should trigger this.
   The content did not change! This could be the result of a reboot or a crash.
*** '/etc/psdatabase' has changed as follows:
   The modification time changed. This indicates a file edit or similar change.
   The status change time changed. Any change should trigger this.
   The content did not change! This could be the result of a reboot or a crash.
*** '/etc/pstat' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/etc/rdump' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/etc/shutdown' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/etc/syslog.pid' has changed as follows:
   The modification time changed. This indicates a file edit or similar change.
   The status change time changed. Any change should trigger this.
   The content did not change! This could be the result of a reboot or a crash.
*** '/etc/ttys' has changed as follows:
   The modification time changed. This indicates a file edit or similar change.
   The status change time changed. Any change should trigger this.
   The content did not change! This could be the result of a reboot or a crash.
Checking /usr/etc
*** '/usr/etc/dump' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/usr/etc/rdump' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/usr/etc/shutdown' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/etc/arp' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/usr/etc/dmesg' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/etc/dkinfo' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/etc/pstat' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/etc/crash' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/etc/keyenvoy' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/etc/eeprom' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/etc/auditd' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/usr/etc/chill' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/etc/dumpfs' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/etc/kgmon' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/usr/etc/trpt' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/usr/etc/devinfo' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/usr/etc/lpc' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/usr/etc/nfsstat' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/etc/rfsetup' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/usr/etc/in.uucpd' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/etc/lpc.FCS' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/usr/etc/pac.FCS' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/etc/ypserv.orig' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/usr/etc/lpc.101434-01' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/etc/pac.101434-01' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/usr/etc/pppd' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
Checking /usr/kvm
*** '/usr/kvm/pstat' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/kvm/crash' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/kvm/getcons' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/kvm/eeprom' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/kvm/ps.FCS' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
Checking /usr/lib
*** '/usr/lib/lpd' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/lib/exrecover' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/lib/expreserve' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/lib/lpd.FCS' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/lib/expreserve.FCS' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/usr/lib/lpd.101434-01' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/lib/sendmail.real' has changed as follows:
   The contents (md5 checksum) changed. Any change in content can trigger this.
*** '/usr/lib/sendmail.mx.fcs' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
*** '/usr/lib/sendmail.fcs' has changed as follows:
   The content did not change! This could be the result of a reboot or a crash.
Checking for files in the database but not in the system.
<<=== End:Done checking for changes in system files.


====================================================
Tracer done - Sat Jun  8 08:57:19 EDT 1996
====================================================

-> See: Info-Sec Heaven at URL http://all.net/
Management Analytics - 330-686-0090 - PO Box 1480, Hudson, OH 44236
Current thread:

rexec brute, (continued)
- - - rexec brute bastard (Jun 04)
    - Selecting Good Passwords mdr () vodka sse att com (Jun 04)
    - brute force *Hobbit* (Jun 04)
    - Re: brute force Christopher Klaus (Jun 04)
    - Re: brute force Tom Fitzgerald (Jun 05)
    - Re: brute force Alan Brown (Jun 06)
    - Re: Linux rlogin hole with libc 5.x Alan Brown (Jun 06)
    - Re: Linux rlogin hole with libc 5.x Pablo Idiaquez (Jun 06)
    - help TaeJin Hong (Jun 07)
    - HP-UX B.10.01 vulnerability Aleph One (Jun 07)
    - Strange changes - any ideas? Fred Cohen (Jun 08)
    - Re: Strange changes - any ideas? dsiebert () icaen uiowa edu (Jun 09)
    - Re: Strange changes - any ideas? Andrew V. Kovalev (Jun 09)
    - Digital Unix, daemons and the SIA authentication library. Paul C Leyland (Jun 10)
    - Re: Strange changes - any ideas? Darren Reed (Jun 10)
    - Vulnerability Database Christopher Klaus (Jun 10)
    - Re: brute force Ze'ev Maor (Jun 04)
    - Re: brute force simes () tcp co uk (Jun 04)
  - Re: Not so much a bug as a warning of new brute force attack Bill Broadley (Jun 03)
  - Re: Not so much a bug as a warning of new brute force attack Brian Tao (Jun 08)
    - Re: Not so much a bug as a warning of new brute force attack Paul D. Robertson (Jun 09)
(Thread continues...)