Re: Things changing overnight
On Sat, Aug 09, 2003 at 10:47:27PM -0700, Ken Bloom wrote:
> Sometime in the past few days, my modem /dev/ttyS4 changed its
> permissions from 660 to 640 without my intervention. My first question:
> is there any kind of security package on debian that might have done
> this as a cronjob? I don't use devfs.
>
> When asking on #debian, a user suggested that I check my logs to see if
> I had been hacked.
*sigh* Such a typical #debian knee-jerk response. Why would a cracker
want to reduce the permissions on a device, and a fairly innocuous one
at that? By a single bit? Don't panic; this is vanishingly unlikely and
you definitely shouldn't go off and reinstall on the word of somebody on
IRC who gives that answer to everything out of the ordinary.
> I found in /var/logs/auth.log that the command `su` had been run to
> switch from user `root` to user `nobody` at 3:35 this morning,
That's a standard cron job reducing privileges in a slightly noisy way.
Don't worry about it.
I have no specific suggestions, unfortunately, but if I were you, I'd
start grepping for 'ttyS' in /etc and start there. Assuming you haven't
changed the permissions back, you could also install the 'stat' package,
type 'stat /dev/ttyS4', and look at the "Change:" line; that'll tell you
when the change happened, and perhaps you could use that time to isolate
a particular cron job (or at least a particular class of cron jobs - see
/etc/crontab or /etc/anacrontab). If you have changed them back, then
wait until it happens again - since it probably will - and start
investigating then.
> please cc: me as I am not subscribed to this high-volume mailing list
If you could include an appropriate Mail-Followup-To: header so that
some people's mailers will do that automatically, it would be helpful.
Cheers,
--
Colin Watson [cjwatson@flatline.org.uk]
Reply to: