From owner-freebsd-questions  Wed Mar 12 10:21:18 2003
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E5F0E37B401
	for <questions@FreeBSD.ORG>; Wed, 12 Mar 2003 10:21:16 -0800 (PST)
Received: from fep1.cogeco.net (smtp.cogeco.net [216.221.81.25])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B2C3643FBF
	for <questions@FreeBSD.ORG>; Wed, 12 Mar 2003 10:21:13 -0800 (PST)
	(envelope-from dlavigne6@cogeco.ca)
Received: from dhcp-17-14.kico2.on.cogeco.ca (d226-42-146.home.cgocable.net [24.226.42.146])
	by fep1.cogeco.net (Postfix) with ESMTP
	id 9FC14A2B8; Wed, 12 Mar 2003 13:21:11 -0500 (EST)
Date: Wed, 12 Mar 2003 13:25:00 -0500 (EST)
From: Dru <dlavigne6@cogeco.ca>
X-X-Sender: dlavigne6@dhcp-17-14.kico2.on.cogeco.ca
To: Volker Kindermann <freebsd@secspace.de>
Cc: questions@FreeBSD.ORG
Subject: Re: sfs UID 71
In-Reply-To: <20030312172732.05c139e3.freebsd@secspace.de>
Message-ID: <20030312132316.C89419@dhcp-17-14.kico2.on.cogeco.ca>
References: <20030311184600.G89419@dhcp-17-14.kico2.on.cogeco.ca>
 <20030312172732.05c139e3.freebsd@secspace.de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG



On Wed, 12 Mar 2003, Volker Kindermann wrote:

> Hi Dru,
>
>
> > I was reading my daily output on a 4.7-RELEASE and noticed the
> > following user was created:
> >
> > > sfs:*:71:
> >
> > as well as the following groups:
> >
> > < nogroup:*:65533:
> > < nobody:*:65534:
> > < sfs:*:71:
>
> IMHO sfs has nothing to do with tripwire. A quick search on google
> showed a software sfs (networking file system). Have a look here:
>
> http://www.ugcs.caltech.edu/info/sfs/sfs_toc.html


I know, that's all I could find myself. So, I have no clue why that
user/groups showed up out of the blue. I was sorta hoping it had something
to do with tripwire...

Anyone heard of any exploits that create the above?

Dru

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message