From owner-freebsd-security@FreeBSD.ORG  Fri Jan  7 06:52:20 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 93F0216A4DA
	for <freebsd-security@freebsd.org>;
	Fri,  7 Jan 2005 06:52:20 +0000 (GMT)
Received: from smtpclu-2.eunet.yu (smtpclu-2.eunet.yu [194.247.192.227])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2158B43D53
	for <freebsd-security@freebsd.org>;
	Fri,  7 Jan 2005 06:52:19 +0000 (GMT)	(envelope-from kolicz@EUnet.yu)
Received: from mycenae.net (P-2.107.EUnet.yu [213.240.2.107])
	by smtpclu-2.eunet.yu (8.12.11/8.12.11) with ESMTP id j076qBY4003452
	for <freebsd-security@freebsd.org>; Fri, 7 Jan 2005 07:52:11 +0100
Received: by mycenae.net (Postfix, from userid 1001)
	id DB98B60DA; Fri,  7 Jan 2005 07:52:28 +0100 (CET)
Date: Fri, 7 Jan 2005 07:52:28 +0100
From: Zoran Kolic <kolicz@EUnet.yu>
To: freebsd-security@freebsd.org
Message-ID: <20050107065228.GA587@mycenae.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Virus-Scan: EUnet-AVAS-Milter
X-AVAS-Virus-Status: clean
X-Spam-Checker: EUnet-AVAS-Milter
X-AVAS-Spam-Score: -1.1
X-AVAS-Spam-Symbols: AWL BAYES_44  
Subject: abyoos.a
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jan 2005 06:52:20 -0000

Dear folks!
Using f-prot, I've found
"unix/abyoos.a" in one
pure ascii file. Simple
googling didn't reveal
any special info about.
Is it something I should
be aware of?
What parts of it could I
find on the system, if any?
Best regards

                  Zoran

From owner-freebsd-security@FreeBSD.ORG  Fri Jan  7 13:13:51 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3301916A4CE
	for <freebsd-security@freebsd.org>;
	Fri,  7 Jan 2005 13:13:51 +0000 (GMT)
Received: from imf19aec.mail.bellsouth.net (imf19aec.mail.bellsouth.net
	[205.152.59.67])
	by mx1.FreeBSD.org (Postfix) with ESMTP id AB5C843D49
	for <freebsd-security@freebsd.org>;
	Fri,  7 Jan 2005 13:13:50 +0000 (GMT)
	(envelope-from hankypanky@bellsouth.net)
Received: from beavis ([68.217.174.48]) by imf19aec.mail.bellsouth.net
          (InterMail vM.5.01.06.11 201-253-122-130-111-20040605) with SMTP
          id <20050107131350.LOCC2073.imf19aec.mail.bellsouth.net@beavis>
          for <freebsd-security@freebsd.org>;
          Fri, 7 Jan 2005 08:13:50 -0500
Date: Fri, 7 Jan 2005 08:13:44 -0500
From: Daniel Payne <hankypanky@bellsouth.net>
To: freebsd-security@freebsd.org
Message-ID: <20050107081344.13b04dbf@beavis>
In-Reply-To: <20050107065228.GA587@mycenae.net>
References: <20050107065228.GA587@mycenae.net>
Organization: junkyard
X-Mailer: Sylpheed-Claws 0.9.12b (GTK+ 1.2.10; i386-portbld-freebsd5.3)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Subject: Re: abyoos.a
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jan 2005 13:13:51 -0000

On Fri, 7 Jan 2005 07:52:28 +0100
Zoran Kolic <kolicz@EUnet.yu> wrote:

> Dear folks!
> Using f-prot, I've found
> "unix/abyoos.a" in one
> pure ascii file. Simple
> googling didn't reveal
> any special info about.
> Is it something I should
> be aware of?
> What parts of it could I
> find on the system, if any?
> Best regards
> 
>                   Zoran
> 
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
> "freebsd-security-unsubscribe@freebsd.org"

Hi Zoran,
Its a virus..be aware sorry i couldnt find a
lot of infos just three links on google.com
to commercial websites 
http://www.gordano.com/kb.htm?q=2409
http://www.authentium.com/threats/VirList.asp?Page=22
http://ww.authentium.com/support/avmatrix/

be cool 
-- 
Daniel 
- the goal is to roll... -

From owner-freebsd-security@FreeBSD.ORG  Fri Jan  7 04:29:24 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BC93F16A4CE
	for <FreeBSD-security@FreeBSD.org>;
	Fri,  7 Jan 2005 04:29:24 +0000 (GMT)
Received: from fed1rmmtao11.cox.net (fed1rmmtao11.cox.net [68.230.241.28])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 53E3843D31
	for <FreeBSD-security@FreeBSD.org>;
	Fri,  7 Jan 2005 04:29:24 +0000 (GMT)	(envelope-from mcsjgs@cox.net)
Received: from [192.168.1.100] (really [68.5.201.44])
          by fed1rmmtao11.cox.net
          (InterMail vM.6.01.04.00 201-2131-117-20041022) with ESMTP
          id <20050107042922.NMPM28808.fed1rmmtao11.cox.net@[192.168.1.100]>
          for <FreeBSD-security@FreeBSD.org>;
          Thu, 6 Jan 2005 23:29:22 -0500
Mime-Version: 1.0 (Apple Message framework v619)
Content-Transfer-Encoding: 7bit
Message-Id: <B328333E-6064-11D9-86AB-000A9594FCC6@cox.net>
Content-Type: text/plain; charset=US-ASCII; format=flowed
To: FreeBSD-security@FreeBSD.org
From: JohnG <mcsjgs@cox.net>
Date: Thu, 6 Jan 2005 20:29:20 -0800
X-Mailer: Apple Mail (2.619)
X-Mailman-Approved-At: Fri, 07 Jan 2005 13:40:23 +0000
Subject: Intrusion Suspected, Advice Sought
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jan 2005 04:29:24 -0000

I run OS X 10.3.7 on a PowerMac MDD G4 on a cable broadband connection. 
I have reason to think my system has been tampered with. Security 
features in Mac OS X have been left unlocked (Preference Pane - Users) 
even though a master lock has always been set in the Security 
Preference Pane. This locks all other important preference panes which 
could be tampered with. Also permissions have been reset at every boot 
in my working directory. I've worked on this machine for about 17 
months, and I know its rhythms and what should be what. The permissions 
problem is persistent and new. I do not think I am being paranoid or 
alarmist. I have always had a NAT router, commercial firewall, and 
virus protection.

The only thing I can think of is a hidden *nix program from a 
downloaded program (shareware/freeware) (I have scanned all packages 
for viruses). I am almost positive it did not come via e-mail. I say 
almost because I have been receiving odd e-mails that are totally blank 
and have no information I can find. Conceivably, it could have been a 
hacker. If so, that person was very skillful in getting in and only 
left small traces of poking around.

I assume your advice will be to do a clean re-install of both system 
and programs. My question is how do I re-import the data from full 
backup (probably also containing whatever it is) without further 
jeopardizing my system? Any other advice, tips, or pointers to FreeBSD 
programs I could run on Mac would be greatly appreciated.

John Scherb

From owner-freebsd-security@FreeBSD.ORG  Fri Jan  7 13:45:46 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5789016A4CE
	for <freebsd-security@freebsd.org>;
	Fri,  7 Jan 2005 13:45:46 +0000 (GMT)
Received: from mail.emich.edu (mail.emich.edu [164.76.2.151])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0A35143D1D
	for <freebsd-security@freebsd.org>;
	Fri,  7 Jan 2005 13:45:44 +0000 (GMT)
	(envelope-from KryptoBSD@uncompiled.com)
Received: from [192.168.0.2]
 (pcp05841620pcs.derbrn01.mi.comcast.net [68.42.163.162])
 by mail.emich.edu (iPlanet Messaging Server 5.2 Patch 2 (built Jul 14 2004))
 with ESMTPSA id <0I9Y00A9W8W7Z6@mail.emich.edu> for
 freebsd-security@freebsd.org; Fri, 07 Jan 2005 08:45:43 -0500 (EST)
Date: Fri, 07 Jan 2005 08:45:40 -0500
From: Mark Stanislav <KryptoBSD@uncompiled.com>
In-reply-to: <B328333E-6064-11D9-86AB-000A9594FCC6@cox.net>
To: freebsd-security@freebsd.org
Message-id: <6B6C5FBC-60B2-11D9-ADDE-000A95CD9660@uncompiled.com>
MIME-version: 1.0
X-Mailer: Apple Mail (2.619)
Content-type: text/plain; charset=US-ASCII; format=flowed
Content-transfer-encoding: 7BIT
References: <B328333E-6064-11D9-86AB-000A9594FCC6@cox.net>
Subject: Re: Intrusion Suspected, Advice Sought
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jan 2005 13:45:46 -0000

I guess I fail to see where your actual evidence for concern is? Can 
you specifically tell us what you have seen with reason to believe it 
was caused by
some form of an intruder? Permission problems can occur on their own 
with OS X. And never forget about programs doing their own bidding 
after you authenticate.
If there was a violation of your wanted effects, I would believe it was 
a program you installed personally and not an outside intruder.

 From your scenario, I really doubt you have been compromised, and 
unless you have a very important computer, I don't think you would be 
getting attacked
to begin with on an OS like this. I haven't heard of any Mac OS X worms 
or anything like that.

-Mark

On Jan 6, 2005, at 11:29 PM, JohnG wrote:

> I run OS X 10.3.7 on a PowerMac MDD G4 on a cable broadband 
> connection. I have reason to think my system has been tampered with. 
> Security features in Mac OS X have been left unlocked (Preference Pane 
> - Users) even though a master lock has always been set in the Security 
> Preference Pane. This locks all other important preference panes which 
> could be tampered with. Also permissions have been reset at every boot 
> in my working directory. I've worked on this machine for about 17 
> months, and I know its rhythms and what should be what. The 
> permissions problem is persistent and new. I do not think I am being 
> paranoid or alarmist. I have always had a NAT router, commercial 
> firewall, and virus protection.
>
> The only thing I can think of is a hidden *nix program from a 
> downloaded program (shareware/freeware) (I have scanned all packages 
> for viruses). I am almost positive it did not come via e-mail. I say 
> almost because I have been receiving odd e-mails that are totally 
> blank and have no information I can find. Conceivably, it could have 
> been a hacker. If so, that person was very skillful in getting in and 
> only left small traces of poking around.
>
> I assume your advice will be to do a clean re-install of both system 
> and programs. My question is how do I re-import the data from full 
> backup (probably also containing whatever it is) without further 
> jeopardizing my system? Any other advice, tips, or pointers to FreeBSD 
> programs I could run on Mac would be greatly appreciated.
>
> John Scherb
>
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to 
> "freebsd-security-unsubscribe@freebsd.org"

From owner-freebsd-security@FreeBSD.ORG  Sat Jan  8 04:19:39 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6877C16A4CE
	for <freebsd-security@freebsd.org>;
	Sat,  8 Jan 2005 04:19:39 +0000 (GMT)
Received: from internet1.mccd.edu (internet1.mccd.edu [198.189.251.20])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4F93C43D49
	for <freebsd-security@freebsd.org>;
	Sat,  8 Jan 2005 04:19:39 +0000 (GMT)
	(envelope-from alexander.s@mccd.edu)
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="UTF-8"
Content-Transfer-Encoding: base64
Date: Fri, 7 Jan 2005 20:20:15 -0800
Message-ID: <C246F099C408FE429BCEE7473E2DDC60429808@internet1.mccd.edu>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: Missing functionality in Blowfish for crypt(3)
Thread-Index: AcT1OVpPK3e1ZMmjREKsvL0yApjMBA==
From: "Steven Alexander" <alexander.s@mccd.edu>
To: <freebsd-security@freebsd.org>
Subject: Missing functionality in Blowfish for crypt(3)
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Jan 2005 04:19:39 -0000

VGhlIGJsb3dmaXNoIGNyeXB0KDMpIG1lY2hhbmlzbSBzdXBwb3J0cyB0aGUgdXNlIG9mIGEgImNv
c3QgdmFsdWUiIGZvciBwYXNzd29yZCBlbmNyeXB0aW9uLiAgVGhlIGNvc3QgdmFsdWUgaXMgZW5j
b2RlZCBpbnRvIHRoZSBlbmNyeXB0ZWQgcGFzc3dvcmQgdGhhdCBpcyBzdG9yZWQgaW4gbWFzdGVy
LnBhc3N3ZC4gIE9uIE9wZW5CU0QsIHRoaXMgY29zdCB2YWx1ZSBjYW4gYmUgc2V0IGluIGxvZ2lu
LmNvbmYuICBGcmVlQlNEIGRvZXMgbm90IGN1cnJlbnRseSBzdXBwb3J0IHRoZSBjb3N0IHZhbHVl
LiAgVGhlIGNvc3QgdmFsdWUgaXMgdGhlIGJhc2UtMiBsb2dhcml0aG0gb2YgdGhlIG51bWJlciBv
ZiByb3VuZHMgb2YgZW5jcnlwdGlvbiB0byB1c2Ugc28gcm91bmRzPTE8PGNvc3Q7ICBUaGlzIGZ1
bmN0aW9uYWxpdHkgY2FuIGJlIHN1cHBvcnRlZCB0aHJvdWdoIG1vZGlmaWNhdGlvbnMgdG8gL3Vz
ci9iaW4vcGFzc3dkICh3aGljaCBhY3R1YWxseSBtZWFucyBhIGNoYW5nZSB0byBQQU0pIG9yIHRo
cm91Z2ggbW9kaWZpY2F0aW9ucyB0byBsaWJjcnlwdC4NCg0KSW4gb3JkZXIgdG8gcGF0Y2ggL3Vz
ci9iaW4vcGFzc3dkLCBpdCBtdXN0IGJlIG1vZGlmaWVkIHRvIHByb3ZpZGUgYSBzcGVjaWFsbHkg
Zm9ybWF0dGVkIHNhbHQgdmFsdWUgZm9yIHRoZSBlbmNyeXB0aW9uIG9mIG5ldyBwYXNzd29yZHMu
ICBTcGVjaWZpY2FsbHksICQyYSRDT1NUJCBtdXN0IGJlIHByZXBlbmRlZCB0byB0aGUgZ2VuZXJh
dGVkIHNhbHQgdmFsdWUuICAiMmEiIGlzIHRoZSBtYWpvciBhbmQgbWlub3IgdmVyc2lvbiBmb3Ig
Ymxvd2Zpc2gvYmNyeXB0LiAgQWdhaW4sIHRoaXMgbWVhbnMgY2hhbmdpbmcgUEFNLg0KIA0KU2lu
Y2UgcGFzc3dkIHNob3VsZCBub3QgaGF2ZSB0byBrZWVwIHVwIHdpdGggYW55IGZvcm1hdHRpbmcg
cmVxdWlyZW1lbnRzIGZvciBhbnkgbGliY3J5cHQgbWVjaGFuaXNtLCBJIG1vZGlmaWVkIGxpYmNy
eXB0IGluc3RlYWQuDQoNClRoZSBkaWZmIGlzIHBhc3RlZCBiZWxvdyBzdHJpY3RseSBmb3Igdmll
d2luZywgdGhlIHV1ZW5jb2RlZCB2ZXJzaW9uIGlzIGJlbG93IHRoYXQuICBJbiBsaWJjcnlwdCwg
SSB1c2UgZ2V0cHd1aWRfcihnZXR1aWQoKSwgLi4uKSB0byBnZXQgYSBwd2Qgc3RydWN0dXJlIGZv
ciB0aGUgY3VycmVudCB1c2VyLiAgVGhlbiwgSSB1c2UgbG9naW5fZ2V0cHdjbGFzcygpIHRvIHJl
dHVybiBhIGxvZ2luX2NhcF90IHN0cnVjdHVyZSBhbmQgdXNlIGxvZ2luX2dldGNhcG51bSguLi4s
ImxuX3JvdW5kcyIsLi4uKSB0byBncmFiIHRoZSB2YWx1ZSBmb3IgbG5fcm91bmRzIGluIGxvZ2lu
LmNvbmYuICANCiANClRoZSBvbmx5IGRyYXdiYWNrIHRvIHRoaXMgYXBwcm9hY2ggaXMgdGhhdCBp
dCBncmFicyB0aGUgZW50cnkgZm9yIHRoZSBjdXJyZW50IHVzZXIgcmF0aGVyIHRoYW4gdGhlIHVz
ZXIgd2hvc2UgcGFzc3dvcmQgaXMgYmVpbmcgY2hhbmdlZC4gIE5vcm1hbGx5LCByb290IHdpbGwg
aGF2ZSBhIGhpZ2hlciBjb3N0IHZhbHVlIHRoYW4gbm9ybWFsIHVzZXJzLiAgSWYgcm9vdCBjaGFu
Z2VzIGEgdXNlcidzIHBhc3N3b3JkLCB0aGUgcGFzc3dvcmQgd2lsbCBiZSBlbmNyeXB0ZWQgd2l0
aCBhIGhpZ2hlciBjb3N0IHRoYW4gaWYgdGhlIHVzZXIgY2hhbmdlZCBpdCB0aGVtc2VsdmVzLiAg
VGhpcyBkb2Vzbid0IHNlZW0gdG8gYmUgYWxsIHRoYXQgYmFkLg0KIA0KVG8gc3VwcG9ydCB0aGlz
IHBhdGNoLCAvZXRjL2xvZ2luLmNvbmYgbXVzdCBpbmNsdWRlIGFuIGVudHJ5IG9mIHRoZSBmb3Jt
ICI6bG5fcm91bmRzPTEwOiIgYW5kIGNhcF9ta2RiIG11c3QgYmUgcnVuIG9uIC9ldGMvbG9naW4u
Y29uZiB0byBhcHBseSB0aGUgY2hhbmdlLiAgVGhpcyBpcyBzbGlnaHRseSBkaWZmZXJlbnQgdGhh
biB0aGUgd2F5IHRoaXMgZmVhdHVyZSBpcyB0dXJuZWQgb24gaW4gT3BlbkJTRC4NCiANClRoZSBw
YXRjaCBjYW4gYmUgYXBwbGllZCBieToNCiANCmNkIC91c3Ivc3JjDQpwYXRjaCA8IC9wYXRoL3Rv
L2xpYmNyeXB0LnBhdGNoDQogDQpJIGhhdmUgc3VibWl0dGVkIGEgY2hhbmdlIHJlcXVlc3QvUFIg
Zm9yIHRoaXMgc28gdGhhdCBpdCBjYW4gYmUgY29uc2lkZXJlZCBmb3IgY29tbWl0bWVudC4gIA0K
IA0KQXQgdGhlIG1vbWVudCwgdGhlIHBhdGNoIGlzIGFsc28gb24gbXkgd2Vic2l0ZSBhdDoNCiAN
Cmh0dHA6Ly93d3cubWNjZC5lZHUvc3RhZmYvYWxleGFuZGVycy9saWJjcnlwdC5wYXRjaA0KaHR0
cDovL3d3dy5tY2NkLmVkdS9zdGFmZi9hbGV4YW5kZXJzL2xpYmNyeXB0LnV1DQogDQpNeSB0aGFu
a3MgdG8gRGF2aWQgTWFnZGEgZm9yIHBvaW50aW5nIG91dCB0byBtZSB0aGUgZGlmZmVyZW5jZSBi
ZXR3ZWVuIHRoZSBPcGVuQlNEIGFuZCBGcmVlQlNEIGltcGxlbWVudGF0aW9ucy4NCiANCkVuam95
Lg0KIA0KU3RldmVuDQogDQogDQogDQpbRGV0YWlscyBmb2xsb3ddDQogDQpNeSBzeXN0ZW0gaXM6
DQogDQpGcmVlQlNEIGtlcm5lbC53YXlzaWRlLmNvbSA1LjMtUkVMRUFTRSBGcmVlQlNEIDUuMy1S
RUxFQVNFICM2OiBGcmkgRGVjIDMxIDE5OjQ4OjI0IFBTVCAyMDA0ICAgICByb290QGtlcm5lbC53
YXlzaWRlLmNvbTovdXNyL3NyYy9zeXMvaTM4Ni9jb21waWxlL0dFTkVSSUMgIGkzODYNCiANCiAN
CmRpZmYgLWMgLi9zZWN1cmUvbGliL2xpYmNyeXB0L2NyeXB0LWJsb3dmaXNoLmMgLi9zZWN1cmUv
bGliL2xpYmNyeXB0LW5ldy9jcnlwdC1ibG93ZmlzaC5jDQoqKiogLi9zZWN1cmUvbGliL2xpYmNy
eXB0L2NyeXB0LWJsb3dmaXNoLmMgTW9uIEp1biAgMiAxMjoxNzoyNCAyMDAzDQotLS0gLi9zZWN1
cmUvbGliL2xpYmNyeXB0LW5ldy9jcnlwdC1ibG93ZmlzaC5jIEZyaSBKYW4gIDcgMTk6NDM6MzEg
MjAwNQ0KKioqKioqKioqKioqKioqDQoqKiogNTUsNjAgKioqKg0KLS0tIDU1LDYzIC0tLS0NCiAg
I2luY2x1ZGUgPHN5cy90eXBlcy5oPg0KICAjaW5jbHVkZSA8c3RyaW5nLmg+DQogICNpbmNsdWRl
IDxwd2QuaD4NCisgI2luY2x1ZGUgPGxpYnV0aWwuaD4NCisgI2luY2x1ZGUgPGxvZ2luX2NhcC5o
Pg0KKyANCiAgI2luY2x1ZGUgImJsb3dmaXNoLmgiDQogICNpbmNsdWRlICJjcnlwdC5oIg0KICAN
CioqKioqKioqKioqKioqKg0KKioqIDE0NCwxNDkgKioqKg0KLS0tIDE0NywxNTcgLS0tLQ0KICAg
dV9pbnQ4X3QgY3NhbHRbQkNSWVBUX01BWFNBTFRdOw0KICAgdV9pbnQzMl90IGNkYXRhW0JDUllQ
VF9CTE9DS1NdOw0KICAgc3RhdGljIGNvbnN0IGNoYXIgICAgICptYWdpYyA9ICIkMmEkMDQkIjsN
CisgDQorICBzdHJ1Y3QgcGFzc3dkIHB3LCAqcHdkOw0KKyAgY2hhciBwd2J1ZlsxMDI0XTsNCisg
DQorICBsb2dpbl9jYXBfdCAqbGM7DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgDQogICAgLyogRGVmYXVsdHMgKi8NCiAgIG1pbnIgPSAnYSc7DQoqKioqKioqKioqKioqKioN
CioqKiAxOTMsMTk4ICoqKioNCi0tLSAyMDEsMjM4IC0tLS0NCiAgDQogICAgLyogRGlzY2FyZCBu
dW0gcm91bmRzICsgIiQiIGlkZW50aWZpZXIgKi8NCiAgICBzYWx0ICs9IDM7DQorICB9DQorICBl
bHNlDQorICB7DQorICAgLyogV2UncmUgY3J5cHRpbmcgYSBuZXcgcGFzc3dvcmQuICBXZSB3YW50
IHRvIGdldCB0aGUNCisgICAgICBsbl9yb3VuZHMgdmFsdWUgdGhhdCBpcyBzdG9yZWQgaW4gbG9n
aW4uY29uZg0KKyAgICAgIGFuZCB1c2UgaXQgdG8gaW5pdGlhbGl6ZSB0aGUgcm91bmRzIHZhbHVl
LiAgDQorICAgICAgICAgICAgICAgICAgICBsbl9yb3VuZHMgaXMgdGhlIGJhc2UgMiBsb2dhcml0
aG0gb2YgdGhlIA0KKyAgICAgIGRlc2lyZWQgcm91bmRzIHZhbHVlLiAgKi8NCisgICANCisgICAg
ICBpZihnZXRwd3VpZF9yKGdldHVpZCgpLCAmcHcsIHB3YnVmLCBzaXplb2YocHdidWYpLCAmcHdk
KSA9PSAwKQ0KKyAgICAgIHsNCisgICBpZiggKGxjID0gbG9naW5fZ2V0cHdjbGFzcyhwd2QpKSAh
PSBOVUxMKQ0KKyAgICAgew0KKyAgICAgICAgICAgICAgbG9nciA9IChpbnQpbG9naW5fZ2V0Y2Fw
bnVtKGxjLCAibG5fcm91bmRzIiwgbG9nciwgbG9ncik7DQorICAgICAgIHJvdW5kcyA9IDEgPDwg
bG9ncjsNCisgICAgICAgaWYocm91bmRzIDwgQkNSWVBUX01JTlJPVU5EUykNCisgICAgICAgew0K
KyAgICBwcmludGYoImxuX3JvdW5kcyBpbiBsb2dpbi5jb25mIGlzIHRvbyBzbWFsbFxuIik7DQor
ICAgIHJldHVybiBlcnJvcjsNCisgICAgICAgfQ0KKyAgICAgICAgICAgICAgICAgfQ0KKyAgIGVs
c2UNCisgICB7DQorICAgICAgIHByaW50ZigiY291bGQgbm90IGxvb2sgdXAgY2FwYWJpbGl0eVxu
Iik7DQorICAgICAgIHJldHVybiBlcnJvcjsNCisgICB9DQorICAgICAgICAgICAgIH0NCisgICAg
ICBlbHNlDQorICAgICAgew0KKyAgIHByaW50ZigiQ291bGQgbm90IGxvb2sgdXAgY3VycmVudCB1
c2VyICVkXG4iLCBnZXR1aWQoKSk7DQorICAgcmV0dXJuIGVycm9yOw0KKyAgICAgICAgICAgICB9
DQogICB9DQogIA0KIA0KIA0KYmVnaW4gNjQ0IGxpYmNyeXB0LnBhdGNoDQpNOSZFRjlCYE04UmBO
K1ctRThXNVI5Ml1MOjYoTzsmRUI4VylZPCcwTzhXKVk8JzBNOEZRTz1WOUk8VkBODQpNOFJgTitX
LUU4VzVSOTJdTDo2KE87JkVCOFcpWTwnME07RjVXK1YtUj43IVQrNilMO1c9Rjo3LUgrRiwqDQpN
KkJISigiWE88VjVDPTcpRStWUUk4Ql1MOjYpQzxHRVA9Il1DPEdFUD0iVUI7Jl1XOUZFUzoiWUMi
NFVPDQpNO0IhKj02WEAoIyhALDMoWiwzPFosQzBALENgUCxQSE0rMlRAK0JdUzk2LVU8RjRPOyZF
QitWUUk4Ri1SDQpNPjchVCs2WUU9Ul1DPEdFUD0iVUI7Jl1XOUZFUzoiWUMiNDlSOjIhKjg2WEAo
IzxALDNEWi0jLFosUyRADQpNLENgUC0wSEoqQkhKKkJISipCSEoqQkhKKkJIKipCSEooIzRVKyM4
UCgiSEoqQkgqKzJUTSgjNFUrIzhTDQpNKCJUTSsyVCooImBDOjZZQzsnNUQ5MmBcPFdFUytXMVk8
JjVTK0ZAXiJCYEAoVkVOOFZRVTkmNEAvJy1UDQpNPEZFTjlSWUgvQEhAKCItSTtGLUw9NjFFKCNR
UD1WME46I1gqKlJgQzo2WUM7JzVEOTJgXDsmRUI9NzFJDQpNOyJZSC9ASEsoIi1JO0YtTD02MUUo
I1FMO1Y9STtFXUM4N2BOOiNYKipSYCooImBDOjZZQzsnNUQ5MmBCDQpNOEZRTz1WOUk8VkBOOiIo
KigiYEM6NllDOyc1RDkyYEI4VylZPCcwTjoiKCooImAqKkJISipCSEoqQkhKDQpNKkJISipCSEoi
QkhKKkJgUS0jMEwsMzBZKCJISipCSCorMlRNKCMkVC1SUFEtMzxAKzJUTSswSEAoYEVVDQpNN1ZF
Tj0jQT89IiFDPFYlTD0lTSIwVSk5NCUxPzM0JTg0VCUsNSVUWyJCYEAiNzU/OjZZVCxTKT89IiFD
DQpNOSYlVDg1TSIwVSk5NCUxPzBEUS8wVE0zNzNMKigiYCk8VzFBPSZFQygmLU87Ry1UKCYtSDg3
KEAoImBADQpNKCJJTTg2PUk4UmBdKCIoRCxGJEQsIzBEKENMKipSYCoqUmApPFcxUj02LVQoJyFB
PFctVzkiIVA9UlBADQpNKkchVzkjTCoqUmApOFZBQTxCIVA9VilVOUVMUSwjKFQ3M0wqKlJgKipS
YCk7Jl1HOjZZPzhWJVA3VzBADQpNKkZRQy5QSEAoImBAKCJgQCgiYEAoImBAKCJgQCgiYEAoImBA
KCJgQCgiYEAoImBAKCJgQCgiYEAiQmBADQpNIjBETypCISQ5NjlBPTZRVDxSYEorUEhAKGBFTTo2
WVIoI1RAKVYkRy5QSEoqQkhKKkJISipCSEoqQkhKDQpNKkJIKipCSEooIyRZLFJQUS4zQEAqQkhK
KkBITSsyVEAsQ2BRKyMoUy4iYE0rMlRNIkJgQCJCYEAiMERPDQpNKkIhJDo3LUM4NylEKCZZVTsy
IVI7VzVOOScsQCpSYEIpIihAOjYxRTtHMUk5RkVFPEJgSitQSEAoYEQpDQpNPFYlTD0iYEsvMmBT
LlBISyhgRV0iQkxAIjY1TDxWNCoqUmApPlBISyhgRCkrUkhANVY0RzxGNEA4VylZDQpNPCcxSTtG
PEA4MiFOOTc8QDwmJVM8Vz1PPEYwTigiITc5MiFXODZZVCgnMU8oJj1FPSIhVDomNCoqUmApDQpN
IjJgQCgmUU43VylPPTZZRDxSIVY4NlFVOTIhVDomJVQoJkVTKCctVDtXKUU5IiFJO0IhTDtWPUk7
QllDDQpNO1ZZRiJCTEAiMERAKCIhQTtGMEA9Ny1FKCZFVCgnMU8oJkVOOjcxSTg2UUk+RjRAPSZB
RSgnKU89NllEDQpNPFIhVjg2UVU5MlhAKGBISygiYEAoImBAKCJgQCgiYEAoImBAKCJgQCgiIUw7
RV1SO1c1TjknLEA6NyxADQpNPSZBRSgmKUE8VjRALEIhTDtWPUE8RkVUOiZUQDtWOEA9JkFFKGBI
SyhgRCkoImBAOSY1Uzo3KUU5IiFSDQpNO1c1TjknLEA9RiVMPTY0TigiYEorUEhLKGBEKSJCTEAi
MmBAKCIhSTlCQUc5NzFQPVc1STklXVIqJj1FDQpNPSc1STkiQEkrImBGPCc8TCgnIVc4RzVGKyIh
Uzo3SUU7VjhIPCc9Qj02OEkrImBGPCc9RCoyYF0vMmBQDQpNKjBISyhgREAoImBAPlBISyhgRCk6
NjhIKCJBTDhSYF0oJlFPOVZFTjdWPUU9JyFXOFZRQTxXLEg8Jz1EDQpNKjJEQCgzVEAzRTUsMyJE
KipSYCkoImApPlBISyhgREAoImBAKCJgQCgiYEAoIiFMO1Y9UigjVEAqJkVODQpNPSJFTDtWPUk7
RV1HOTcxQzg3IU49NlRIOyYsTCgiKUw7RV1SO1c1TjknLEIrIiFMO1Y9UisiIUw7Vj1SDQpNKjNM
KipSYCkiMmBAKCIhUjtXNU45JyxALzJgUSgjUFwoJlFPOVcoWyJCTEAiMERAKCJgQDo2OEg8Rl1V
DQpNO0YxUygjUEAwRC0yNjUhNDdUVSkzRSkvNTRZJDRSRCoqUmApIjJgQCgiIVsiQkxAIjBEKTwn
KUk7RzFGDQpNKiIpTDtFXVI7VzVOOScsQDo2WEA7Jl1HOjZYTjhWXU45QiFJPFIhVDtWXEA8VlVB
OyZRPDtCKEkuUEhLDQpNKGBEKSI3KUU9JzVSO0IhRTxHKU88Q0wqKlJgKSIyYEAoIiFdIkJMQCgi
YEAoImBAKCJgQCgiYEAoImBADQpNKCdUKipSYCkiNjVMPFY0KipSYCkiN0wqKlJgKSIyYEAoIiFQ
PEZFTj0mOEgoRi1PPTZRRCgmWU89IiFMDQpNO1ZdSygnNVAoJi1BPCYlQjo2UUk9J0U8O0IoSS5Q
SEsoYEQpKCJgQCgnKUU9JzVSO0IhRTxHKU88Q0wqDQpNKlJgKSI3VCoqUmBAKCJgQCgiYEAoImBA
KCIhXSJCTEAiMmBAKCIhRTsnLUUiQkxAIjJgQCgiIVsiQkxADQpNIjBFUDxGRU49JjhIKEQtTz02
UUQoJllPPSIhTDtWXUsoJzVQKCYtVTxHKUU7RzBAPTctRTxCYEU5JVFODQpNKEJQQDlWNVQ9NkVE
KiJESS5QSEsoYEQpPEY1VD03KU4oJjVSPEZdUi5QSEsoImBAKCJgQCgiYEAoImBADQouKCdUKigi
YCk/MEhAKGBIQChgSGANCmANCmVuZA0KDQogIA0KDQo=

From owner-freebsd-security@FreeBSD.ORG  Sat Jan  8 16:31:18 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2FCF216A4CE
	for <freebsd-security@freebsd.org>;
	Sat,  8 Jan 2005 16:31:18 +0000 (GMT)
Received: from mx5.roble.com (mx5.roble.com [206.40.34.5])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 06CD243D46
	for <freebsd-security@freebsd.org>;
	Sat,  8 Jan 2005 16:31:18 +0000 (GMT)
	(envelope-from marquis@roble.com)
Received: from localhost (localhost [127.0.0.1])
	by mx5.roble.com (Postfix) with ESMTP id AE9EA2BDEA
	for <freebsd-security@freebsd.org>;
	Sat,  8 Jan 2005 08:31:17 -0800 (PST)
Date: Sat, 8 Jan 2005 08:31:17 -0800 (PST)
From: Roger Marquis <marquis@roble.com>
To: freebsd-security@freebsd.org
In-Reply-To: <20050108120108.3CAC016A4CF@hub.freebsd.org>
References: <20050108120108.3CAC016A4CF@hub.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <20050108163117.AE9EA2BDEA@mx5.roble.com>
Subject: Re: OSX Intrusion Suspected, Advice Sought
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Jan 2005 16:31:18 -0000

JohnG <mcsjgs@cox.net> wrote:
> I run OS X 10.3.7 on a PowerMac MDD G4 on a cable broadband connection.
> I have reason to think my system has been tampered with. Security
> features in Mac OS X have been left unlocked (Preference Pane - Users)

OSX is substantially different from FreeBSD (even without netinfo)
despite having some of the same source code.  I doubt you'll find
much OSX expertise among freebsd-security subscribers even if it
wasn't OT.

Assuming there is no osx-security list or newsgroup your best bet
would be to contact Apple directly.  However, given Apple's
difficulties issuing patches and all the insecure, desktop-oriented
changes made to OSX's older FreeBSD base, it's a losing battle
(IME).

-- 
Roger Marquis
Roble Systems Consulting
http://www.roble.com/