Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 29 Dec 2006 19:48:39 +0100
From:      =?ISO-8859-1?Q?Thomas_Nystr=F6m?= <thn@saeab.se>
To:        gareth <bsd@lordcow.org>
Cc:        stable@freebsd.org
Subject:   Re: system breach
Message-ID:  <45956307.4090403@saeab.se>
In-Reply-To: <20061229173916.GA3196@lordcow.org>
References:  <20061228231226.GA16587@lordcow.org>	<b91012310612282010m22a6bbdbp97bf7bdecca1530@mail.gmail.com>	<20061229155845.GA1266@lordcow.org> <45954196.9040909@saeab.se> <20061229173916.GA3196@lordcow.org>

next in thread | previous in thread | raw e-mail | index | archive | help
gareth wrote:
> On Fri 2006-12-29 (17:25), Thomas Nystr?m wrote:
> 
>>I just checked one of my servers and also found a /tmp/download
>>directory with the same files that you had.
>>
>>I then compared the timestamp of /tmp/download with the timestamp
>>of the directories in /var/db/pkg: Same.
>>
>>My conclusion is that during a portupgrade these files were written
>>there, directly or indirectly by portupgrade or the port itself.
> 
> 
> oh. ok. well even though that's weird behaviour from a package it's
> more plausible since i haven't found anything else suspicious. are
> the timestamps exactly the same? i have 4 packages that're 20 minutes
> different. which of yours are the same? or was that for all files.
> (since i'd like to try an reproduce it).

It looks like this:

ture(root)# dir
total 50
drwxrwxr-x   5 root  wheel    512 29 Aug 16:29 ./
drwxrwxrwt  11 root  wheel   3072 29 Dec 19:35 ../
drwxrwxr-x   4 root  wheel    512 29 Aug 16:29 Archive_Tar-1.3.1/
drwxrwxr-x   3 root  wheel    512 29 Aug 16:29 Console_Getopt-1.2/
drwxrwxr-x   3 root  wheel    512 29 Aug 16:29 XML_RPC-1.5.0/
-rw-rw-r--   1 root  wheel  15433 12 Jul 02:09 package.xml
-rw-rw-r--   1 root  wheel  22193 12 Jul 02:09 package2.xml

Exactly which port that did this is hard to tell. I have around
130 ports installed and most of them were updated 29:th Aug.
I have looked at the files that exists in these directories
and according to the +CONTENTS files in /var/db/pkg all is claimed
to belong to pear-1.4.11 so that might be a candidate.....

/thn

-- 
---------------------------------------------------------------
Svensk Aktuell Elektronik AB                     Thomas Nyström
Box 10                                    Phone: +46 8 35 92 85
S-191 21  Sollentuna                        Fax: +46 8 35 92 86
Sweden                                      Email: thn@saeab.se
---------------------------------------------------------------



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45956307.4090403>