From owner-freebsd-ports@FreeBSD.ORG Sat Nov 10 16:59:35 2007 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 55AB516A41A for ; Sat, 10 Nov 2007 16:59:35 +0000 (UTC) (envelope-from mike.freebsd@gmail.com) Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.189]) by mx1.freebsd.org (Postfix) with ESMTP id 23FC913C4A6 for ; Sat, 10 Nov 2007 16:59:34 +0000 (UTC) (envelope-from mike.freebsd@gmail.com) Received: by rv-out-0910.google.com with SMTP id l15so698966rvb for ; Sat, 10 Nov 2007 08:59:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=KCZpSPg//ULNcXdGIf0dCYruTj3E0S2cZV0I7szdllg=; b=OhFj6EFNGNmHrZYY5XsA1IxOy9NAnzc4CLhTqhbc4f57ANIrBZSxrc04UBITg4+x2uBCV2AfG61f925769aHp2inB44/zrMicK02dzEp+hN/OKZip4ktz/HXMph8P+1X0Whf1/ALCCl87OGyKx0m8w08IpFmFp7zZpaBTppLQJM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=LLLc9K9pPFD+ahDpJLcVA1Vw+2il+mbrVHJ+M070m9qgnjGdAvWqI2fYyMzeynCeluQm+eOGL93dKjvrTpKHtC/ktYHZ7xSe/rwNOAblaxqlLVeISpr/FPlqohAZPHBBxrYPeTIuq0HFS78Omzbs/lmXcavDNRkvTlqF3S/hZGk= Received: by 10.141.145.11 with SMTP id x11mr1571623rvn.1194713968239; Sat, 10 Nov 2007 08:59:28 -0800 (PST) Received: by 10.141.141.4 with HTTP; Sat, 10 Nov 2007 08:59:28 -0800 (PST) Message-ID: <84f7f5800711100859l454873b2g22925e5defa1149e@mail.gmail.com> Date: Sat, 10 Nov 2007 17:59:28 +0100 From: "Mike -freebsd" To: "Kris Kennaway" In-Reply-To: <4735DC3A.90206@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <84f7f5800711100625l6a0ef442m1a6824fa74c56972@mail.gmail.com> <20071110154407.GA11692@eos.sc1.parodius.com> <4735DC3A.90206@FreeBSD.org> Cc: freebsd-ports@freebsd.org Subject: Re: 4203:31337 (possible exploit?) X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Nov 2007 16:59:35 -0000 On Nov 10, 2007 5:28 PM, Kris Kennaway wrote: > > Sounds like you may have a security problem (re: "31337" GID). If > > that's the case, I would strongly advocate formatting + reinstalling > > those machines. > > I asked because that is the uid/gid used on pointyhat ;) > > Kris > > Well, I've dug up all available backups and what I can tell is that those uid/gid propagated with the rest of the ports tree from a main box used here for builds, installations and updates to the whole network. Stupid me had weekly noid reports disabled on all of them, except the last one added recently that finally caught it. The problem was there present for at least three, possibly four months... BUT I'm 95% sure that the main ports three was never downloaded via anything else than c[v]sup + supfile with default host set to eiter ftp.freebsd.org, or one of the official mirrors, for a past few years. I wish I could tell you more, but I see nothing even remotely connected to pointyhat, as there is no point of using any other than official ports repo for productional machines. OTOH, you wont believe how glad I was to hear that those are pointyhat IDs.. The "31337" scared the shit ot of me :(