From owner-freebsd-stable@FreeBSD.ORG Fri Dec 29 16:56:39 2006 Return-Path: X-Original-To: stable@freebsd.org Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9844F16A407 for ; Fri, 29 Dec 2006 16:56:39 +0000 (UTC) (envelope-from thn@saeab.se) Received: from saeab.se (ture.saeab.se [213.80.3.133]) by mx1.freebsd.org (Postfix) with ESMTP id 1A0BC13C448 for ; Fri, 29 Dec 2006 16:56:38 +0000 (UTC) (envelope-from thn@saeab.se) Received: from scatcat.thn.saeab.se (vpn-thn.int.saeab.se [10.0.4.43]) by saeab.se (8.13.6/8.13.6) with ESMTP id kBTGPjsT021763; Fri, 29 Dec 2006 17:25:45 +0100 (CET) (envelope-from thn@saeab.se) Received: from [10.1.0.1] (home [10.1.0.1]) by scatcat.thn.saeab.se (8.13.8/8.13.8) with ESMTP id kBTGPirr007713; Fri, 29 Dec 2006 17:25:45 +0100 (CET) (envelope-from thn@saeab.se) Message-ID: <45954196.9040909@saeab.se> Date: Fri, 29 Dec 2006 17:25:58 +0100 From: =?ISO-8859-1?Q?Thomas_Nystr=F6m?= Organization: Svensk Aktuell Elektronik AB User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: gareth References: <20061228231226.GA16587@lordcow.org> <20061229155845.GA1266@lordcow.org> In-Reply-To: <20061229155845.GA1266@lordcow.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-3.9 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.1.4 X-Spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-25) on ture.saeab.se X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (saeab.se [10.0.1.133]); Fri, 29 Dec 2006 17:25:49 +0100 (CET) Cc: stable@freebsd.org Subject: Re: system breach X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Dec 2006 16:56:39 -0000 gareth wrote: > On Thu 2006-12-28 (22:10), David Todd wrote: > >>something's up, nothing in ports will write to a /tmp/download >>directory, so either you or someone with root access did it. I just checked one of my servers and also found a /tmp/download directory with the same files that you had. I then compared the timestamp of /tmp/download with the timestamp of the directories in /var/db/pkg: Same. My conclusion is that during a portupgrade these files were written there, directly or indirectly by portupgrade or the port itself. About two years ago I cleaned up a system that really had a system breach (through some php-based webapplication). I could then find a directory in /tmp owned by www that contains a complete distribution with configurescript and the result of the build. This /tmp/download doesn't look like that at all. /thn -- --------------------------------------------------------------- Svensk Aktuell Elektronik AB Thomas Nyström Box 10 Phone: +46 8 35 92 85 S-191 21 Sollentuna Fax: +46 8 35 92 86 Sweden Email: thn@saeab.se ---------------------------------------------------------------