From owner-freebsd-stable@FreeBSD.ORG  Fri Dec 29 17:39:18 2006
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
X-Original-To: stable@freebsd.org
Delivered-To: freebsd-stable@FreeBSD.ORG
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 2B82516A403
	for <stable@freebsd.org>; Fri, 29 Dec 2006 17:39:18 +0000 (UTC)
	(envelope-from bsd@lordcow.org)
Received: from mail.uct.ac.za (mail.uct.ac.za [137.158.128.3])
	by mx1.freebsd.org (Postfix) with ESMTP id C352313C474
	for <stable@freebsd.org>; Fri, 29 Dec 2006 17:39:17 +0000 (UTC)
	(envelope-from bsd@lordcow.org)
Received: from lhc.phy.uct.ac.za ([137.158.37.93])
	by mail.uct.ac.za with esmtp (Exim 4.44 (FreeBSD))
	id 1H0LhM-0005zY-Ls
	for stable@freebsd.org; Fri, 29 Dec 2006 19:39:16 +0200
Received: from lordcow by lhc.phy.uct.ac.za with local (Exim 4.63)
	(envelope-from <bsd@lordcow.org>) id 1H0LhM-0000pk-LE
	for stable@freebsd.org; Fri, 29 Dec 2006 19:39:16 +0200
Date: Fri, 29 Dec 2006 19:39:16 +0200
From: gareth <bsd@lordcow.org>
To: stable@freebsd.org
Message-ID: <20061229173916.GA3196@lordcow.org>
Mail-Followup-To: stable@freebsd.org
References: <20061228231226.GA16587@lordcow.org>
	<b91012310612282010m22a6bbdbp97bf7bdecca1530@mail.gmail.com>
	<20061229155845.GA1266@lordcow.org> <45954196.9040909@saeab.se>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <45954196.9040909@saeab.se>
User-Agent: Mutt/1.5.13 (2006-08-11)
Cc: 
Subject: Re: system breach
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Dec 2006 17:39:18 -0000

On Fri 2006-12-29 (17:25), Thomas Nystr?m wrote:
> I just checked one of my servers and also found a /tmp/download
> directory with the same files that you had.
> 
> I then compared the timestamp of /tmp/download with the timestamp
> of the directories in /var/db/pkg: Same.
> 
> My conclusion is that during a portupgrade these files were written
> there, directly or indirectly by portupgrade or the port itself.

oh. ok. well even though that's weird behaviour from a package it's
more plausible since i haven't found anything else suspicious. are
the timestamps exactly the same? i have 4 packages that're 20 minutes
different. which of yours are the same? or was that for all files.
(since i'd like to try an reproduce it).