Date: Sat, 10 Nov 2007 07:44:07 -0800 From: Jeremy Chadwick <koitsu@FreeBSD.org> To: Mike -freebsd <mike.freebsd@gmail.com> Cc: freebsd-ports@freebsd.org Subject: Re: 4203:31337 (possible exploit?) Message-ID: <20071110154407.GA11692@eos.sc1.parodius.com> In-Reply-To: <84f7f5800711100625l6a0ef442m1a6824fa74c56972@mail.gmail.com> References: <84f7f5800711100625l6a0ef442m1a6824fa74c56972@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Nov 10, 2007 at 03:25:57PM +0100, Mike -freebsd wrote: > Guys, is anyone else seeing this? > drwxr-xr-x 69 4203 31337 1536 Nov 9 13:59 ports > > I see this on three of four FreeBSD 7 boxes and only on /usr/ports/ > (why...?). Anyone else? Four different boxes of ours: $ uname -r && ls -ld /usr/ports 6.2-STABLE drwxr-xr-x 69 root wheel 2048 10 Nov 02:14 /usr/ports/ $ uname -r && ls -ld /usr/ports 6.3-PRERELEASE drwxr-xr-x 69 root wheel 1536 10 Nov 02:12 /usr/ports/ $ uname -r && ls -ld /usr/ports 7.0-PRERELEASE drwxr-xr-x 69 root wheel 1536 7 Nov 02:24 /usr/ports/ $ uname -r && ls -ld /usr/ports 7.0-BETA2 drwxr-xr-x 69 root wheel 1536 10 Nov 02:19 /usr/ports/ Sounds like you may have a security problem (re: "31337" GID). If that's the case, I would strongly advocate formatting + reinstalling those machines. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071110154407.GA11692>