From owner-freebsd-ports@FreeBSD.ORG  Sat Nov 10 16:28:49 2007
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BB5AB16A589;
	Sat, 10 Nov 2007 16:28:49 +0000 (UTC)
	(envelope-from kris@FreeBSD.org)
Received: from weak.local (pointyhat.freebsd.org [IPv6:2001:4f8:fff6::2b])
	by mx1.freebsd.org (Postfix) with ESMTP id 90DF113C4B3;
	Sat, 10 Nov 2007 16:28:43 +0000 (UTC)
	(envelope-from kris@FreeBSD.org)
Message-ID: <4735DC3A.90206@FreeBSD.org>
Date: Sat, 10 Nov 2007 17:28:42 +0100
From: Kris Kennaway <kris@FreeBSD.org>
User-Agent: Thunderbird 2.0.0.6 (Macintosh/20070728)
MIME-Version: 1.0
To: Jeremy Chadwick <koitsu@FreeBSD.org>
References: <84f7f5800711100625l6a0ef442m1a6824fa74c56972@mail.gmail.com>
	<20071110154407.GA11692@eos.sc1.parodius.com>
In-Reply-To: <20071110154407.GA11692@eos.sc1.parodius.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Mike -freebsd <mike.freebsd@gmail.com>, freebsd-ports@freebsd.org
Subject: Re: 4203:31337 (possible exploit?)
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Nov 2007 16:28:49 -0000

Jeremy Chadwick wrote:
> On Sat, Nov 10, 2007 at 03:25:57PM +0100, Mike -freebsd wrote:
>> Guys, is anyone else seeing this?
>> drwxr-xr-x  69 4203  31337  1536 Nov  9 13:59 ports
>>
>> I see this on three of four FreeBSD 7 boxes and only on /usr/ports/
>> (why...?). Anyone else?
> 
> Four different boxes of ours:
> 
> $ uname -r && ls -ld /usr/ports
> 6.2-STABLE
> drwxr-xr-x   69 root      wheel     2048 10 Nov 02:14 /usr/ports/
> 
> $ uname -r && ls -ld /usr/ports
> 6.3-PRERELEASE
> drwxr-xr-x   69 root      wheel     1536 10 Nov 02:12 /usr/ports/
> 
> $ uname -r && ls -ld /usr/ports
> 7.0-PRERELEASE
> drwxr-xr-x   69 root      wheel     1536  7 Nov 02:24 /usr/ports/
> 
> $ uname -r && ls -ld /usr/ports
> 7.0-BETA2
> drwxr-xr-x   69 root      wheel     1536 10 Nov 02:19 /usr/ports/
> 
> Sounds like you may have a security problem (re: "31337" GID).  If
> that's the case, I would strongly advocate formatting + reinstalling
> those machines.

I asked because that is the uid/gid used on pointyhat ;)

Kris