Re: IDS detected smbpasswd modified

To: debian-security@lists.debian.org
Subject: Re: IDS detected smbpasswd modified
From: Albert Dorofeev <albert.dorofeev@eu.sony.com>
Date: Tue, 19 Jul 2005 10:46:01 +0200
Message-id: <[🔎] 42DCBDC9.6090600@eu.sony.com>
In-reply-to: <[🔎] 1121759879.4736.4.camel@flyinghorse>
References: <[🔎] 1121759879.4736.4.camel@flyinghorse>

Mirco Bauer wrote:
> On Mon, 2005-07-18 at 15:29 +0200, Albert Dorofeev wrote:
> 
>>Does anyone have any idea why the ctime would change
>>so often for a file that is essentially not changing
>>in any way, especially not the attributes?
> 
> it's changing, the computer passwords are updated by the windows boxes
> regularly also applied when a user changes his password, so tell the IDS
> to ignore the ctime flag for that file.

If the passwords change, the contents of the file smbpasswd
changes. IIRC, that means the mtime changes. Now, even if
that is not the case, I am perfectly sure the passwords were
not changed by users. The ctime is related to the change
of the attributes of the file. Why would attributes change
and how can I find out what changes them? I understand
that it is most likely smb daemon but this is a strange
behaviour to say the least:

ctime_new=<[2005-07-18T09:44:55]>
ctime_new=<[2005-07-18T14:53:10]>
ctime_new=<[2005-07-18T18:00:00]>
ctime_new=<[2005-07-18T22:00:00]>
ctime_new=<[2005-07-19T02:00:00]>
ctime_new=<[2005-07-19T06:00:00]>

It seems to have settled into a pattern of updating the
attributes every 4 hours. What gives?

Albert

Reply to:

References:
- Re: IDS detected smbpasswd modified
  - From: Mirco Bauer <meebey@php.net>

Prev by Date: Re: IDS detected smbpasswd modified
Next by Date: freeRadius 1.0.4
Previous by thread: Re: IDS detected smbpasswd modified
Next by thread: subscribe
Index(es):
- Date
- Thread