[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Changed file perms



I've been running OBSD 3.1 as a firewall for several months.  Access
to the machine is via SSH; ports 25 and 80 are open, but are mapped to
a machine behind the firewall.  SSHD version is 3.2.

Recently I tried to SSH into the machine remotely, using a non-root
account, and was denied access.  I was able to log in locally, and
discovered that several utils in /usr/bin and /bin have had perms
modified:

-rwx------  1 root  wheel     12288 Jul  1  2002 find
-rwx------  1 root  wheel     12288 Jul  1  2002 passwd
-rwx------  1 root  wheel     12288 Jul  1  2002 su
-rwx------  1 root  wheel      16384 Jul  1  2002 ls
-rwx------  1 root  wheel      12288 Jul  3  2002 ps
-rwx------  1 root  wheel      25306 May  3 06:57 netstat

(These have always had group wheel perms set.)

Then the following strangeness popped up on the status log:

===start===

Checking root csh paths, umask values:
/etc/csh.cshrc /etc/csh.login /root/.cshrc /root/.login
The root path includes .
The root path includes .

Checking home directories.
user drwx------ home directory is owned by wheel
user drwx------ home directory is owned by wheel
user drwxr-xr-x home directory is owned by wheel
user drwxr-xr-x home directory is owned by wheel
user drwxrwxr-t home directory is owned by daemon
user drwxr-xr-x home directory is owned by daemon
user drwxr-xr-x home directory is owned by wheel
user drwx------ home directory is owned by brian
user drwxr-sr-x home directory is owned by qmail
...
Checking dot files.
user -rw------- 1 file is owned by 523
user -rw-r--r-- 2 file is owned by 669
user -rw------- 1 file is owned by 127
user -rw-r--r-- 1 file is owned by 187
user -rw-r--r-- 2 file is owned by 148
user -rw-r--r-- 1 file is owned by 241
user -rw-r--r-- 2 file is owned by 669
user -rw------- 1 file is owned by 127
user -rw-r--r-- 1 file is owned by 187
user -rw-r--r-- 2 file is owned by 148
user -rw-r--r-- 1 file is owned by 241
user -rw-r--r-- 2 file is owned by 669

Checking special files and directories.
Output format is:
    filename:
        criteria (shouldbe, reallyis)
usr/src:
    gid (9, 0)

===end===

A search of the logs show nothing amiss, except for a restart on May 3
and the following sshd errors:

===start===

May  3 06:02:57 cinnabar sshd[21439]: fatal: buffer_get_string: bad
string length 263168
May  3 06:55:58 cinnabar sshd[1675]: fatal: buffer_get_string: bad
string length 263168
 May  3 06:57:36 cinnabar sshd[30975]: Received SIGHUP; restarting.
 May  3 06:57:38 cinnabar sshd[26143]: Server listening on :: port 22.
 May  3 06:57:38 cinnabar sshd[26143]: Server listening on 0.0.0.0
 port 22.

===end===

I don't run any other services accessible from the outside (according
to an nmap scan I ran), and didn't find anything in the security alert
list for 3.1 that might address this problem. 

Any suggestions?  

  --Brian