From owner-freebsd-stable@FreeBSD.ORG Fri Dec 29 15:59:29 2006 Return-Path: X-Original-To: stable@freebsd.org Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 90B3E16A407 for ; Fri, 29 Dec 2006 15:59:29 +0000 (UTC) (envelope-from bsd@lordcow.org) Received: from mail.uct.ac.za (mail.uct.ac.za [137.158.128.3]) by mx1.freebsd.org (Postfix) with ESMTP id 3378B13C4BD for ; Fri, 29 Dec 2006 15:59:29 +0000 (UTC) (envelope-from bsd@lordcow.org) Received: from lhc.phy.uct.ac.za ([137.158.37.93]) by mail.uct.ac.za with esmtp (Exim 4.44 (FreeBSD)) id 1H0K8H-000NUt-Qh for stable@freebsd.org; Fri, 29 Dec 2006 17:58:57 +0200 Received: from lordcow by lhc.phy.uct.ac.za with local (Exim 4.63) (envelope-from ) id 1H0K85-0000MG-Ma for stable@freebsd.org; Fri, 29 Dec 2006 17:58:45 +0200 Date: Fri, 29 Dec 2006 17:58:45 +0200 From: gareth To: stable@freebsd.org Message-ID: <20061229155845.GA1266@lordcow.org> Mail-Followup-To: stable@freebsd.org References: <20061228231226.GA16587@lordcow.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.13 (2006-08-11) Cc: Subject: Re: system breach X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Dec 2006 15:59:29 -0000 On Thu 2006-12-28 (22:10), David Todd wrote: > something's up, nothing in ports will write to a /tmp/download > directory, so either you or someone with root access did it. thought as much :/ > I suggest: > checking /var/log/auth.log for attempted breachings i had a rough skim and nothing suspicious, wanted to know when this happened so i could scrutinise the logs better. > run sockstat and look for processes with ports open that shouldn't > have ports open. thx, had a look at that and netstat etc, everything's normal. > conftest cores ususally mean a ./configure was issued and parts of > said configure failed, them being so far apart suggests that some work > was done to the configure script to fix it. > > If you didn't install anything from ports at or around those periods > of time, then someone was running a configure script to build > something on the machine. ah. it could very well have been me, was compiling a lot've stuff around those 2 days. doesn't seem like portupgrade etc keeps logs to check.