From owner-freebsd-ports@FreeBSD.ORG Sat Nov 10 15:44:15 2007 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 142E216A418 for ; Sat, 10 Nov 2007 15:44:15 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id F25C913C4B9 for ; Sat, 10 Nov 2007 15:44:14 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id C29731CC07C; Sat, 10 Nov 2007 07:44:07 -0800 (PST) Date: Sat, 10 Nov 2007 07:44:07 -0800 From: Jeremy Chadwick To: Mike -freebsd Message-ID: <20071110154407.GA11692@eos.sc1.parodius.com> References: <84f7f5800711100625l6a0ef442m1a6824fa74c56972@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <84f7f5800711100625l6a0ef442m1a6824fa74c56972@mail.gmail.com> User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-ports@freebsd.org Subject: Re: 4203:31337 (possible exploit?) X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Nov 2007 15:44:15 -0000 On Sat, Nov 10, 2007 at 03:25:57PM +0100, Mike -freebsd wrote: > Guys, is anyone else seeing this? > drwxr-xr-x 69 4203 31337 1536 Nov 9 13:59 ports > > I see this on three of four FreeBSD 7 boxes and only on /usr/ports/ > (why...?). Anyone else? Four different boxes of ours: $ uname -r && ls -ld /usr/ports 6.2-STABLE drwxr-xr-x 69 root wheel 2048 10 Nov 02:14 /usr/ports/ $ uname -r && ls -ld /usr/ports 6.3-PRERELEASE drwxr-xr-x 69 root wheel 1536 10 Nov 02:12 /usr/ports/ $ uname -r && ls -ld /usr/ports 7.0-PRERELEASE drwxr-xr-x 69 root wheel 1536 7 Nov 02:24 /usr/ports/ $ uname -r && ls -ld /usr/ports 7.0-BETA2 drwxr-xr-x 69 root wheel 1536 10 Nov 02:19 /usr/ports/ Sounds like you may have a security problem (re: "31337" GID). If that's the case, I would strongly advocate formatting + reinstalling those machines. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |