[vox-tech] Things changing overnight

Ken Bloom vox-tech@lists.lugod.org
Sat, 9 Aug 2003 22:47:22 -0700


--/9DWx/yDrRhgMJTb
Content-Type: text/plain; format=flowed; charset=ISO-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Sometime in the past few days, my modem /dev/ttyS4 changed its=20
permissions from 660 to 640 without my intervention. My first question:=20
is there any kind of security package on debian that might have done=20
this as a cronjob? I don't use devfs.

When asking on #debian, a user suggested that I check my logs to see if=20
I had been hacked. I found in /var/logs/auth.log that the command `su`=20
had been run to switch from user `root` to user `nobody` at 3:35 this=20
morning, a time when I was not connected to the internet (I use ppp to=20
connect through my modem). My second question: any idea what might have=20
done this? (obviously, I'd like to avoid a reinstall)

(I can't seem to find any cronjob that would be doing this, but it
would help if you had any suggestions)

I am running a Debian sarge/sid mixed box.

--=20
I usually have a GPG digital signature included as an attachment.
If you don't know what it is, either ignore it or visit www.gnupg.org
My PGP key was last signed 6/10/2003 please download my key again if
it is more recent than your copy. If you use GPG, *please* talk to
me to sign it. The key is keyID E2B2CAD1 on pgp.mit.edu
--/9DWx/yDrRhgMJTb
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQA/NdxqlHapveKyytERAilwAJ9c8ZXqmFVz6tMaN+oZVvVhqnIRvQCeLQVG
x6EPxMX5R71/xf71EThRkbY=
=Y8Uh
-----END PGP SIGNATURE-----

--/9DWx/yDrRhgMJTb--