Date: Sat, 10 Nov 2007 17:59:28 +0100 From: "Mike -freebsd" <mike.freebsd@gmail.com> To: "Kris Kennaway" <kris@freebsd.org> Cc: freebsd-ports@freebsd.org Subject: Re: 4203:31337 (possible exploit?) Message-ID: <84f7f5800711100859l454873b2g22925e5defa1149e@mail.gmail.com> In-Reply-To: <4735DC3A.90206@FreeBSD.org> References: <84f7f5800711100625l6a0ef442m1a6824fa74c56972@mail.gmail.com> <20071110154407.GA11692@eos.sc1.parodius.com> <4735DC3A.90206@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Nov 10, 2007 5:28 PM, Kris Kennaway <kris@freebsd.org> wrote: > > Sounds like you may have a security problem (re: "31337" GID). If > > that's the case, I would strongly advocate formatting + reinstalling > > those machines. > > I asked because that is the uid/gid used on pointyhat ;) > > Kris > > Well, I've dug up all available backups and what I can tell is that those uid/gid propagated with the rest of the ports tree from a main box used here for builds, installations and updates to the whole network. Stupid me had weekly noid reports disabled on all of them, except the last one added recently that finally caught it. The problem was there present for at least three, possibly four months... BUT I'm 95% sure that the main ports three was never downloaded via anything else than c[v]sup + supfile with default host set to eiter ftp.freebsd.org, or one of the official mirrors, for a past few years. I wish I could tell you more, but I see nothing even remotely connected to pointyhat, as there is no point of using any other than official ports repo for productional machines. OTOH, you wont believe how glad I was to hear that those are pointyhat IDs.. The "31337" scared the shit ot of me :(
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?84f7f5800711100859l454873b2g22925e5defa1149e>