Gene Grimm wrote: > The following message was received by our admin account after finding an > intrusion (followed by rotating shell account passwords). Can anyone tell me > how to find out what devices are referenced in this message? > > ----- Original Message ----- > > > User 501 tried to run dev 773 ino 278048 in place of dev 774 ino 310316! > > (Filename of set-id script was ./none
These aren't devices. To uniquely identify a file in unix you need provide only the device it is on and the inode of the device that the file occupies, and that's what the numbers are. Comes right out of stat(2). This is suidperl detecting an attempt to exploit a common unix race condition dealing with executing suid scripts. Or they might have really been trying to exploit an old security hole in suidperl's checks for that race condition. perlsec(1) under "Security Bugs" for details. -- see shy jo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
