From owner-freebsd-security@FreeBSD.ORG Wed Jun 30 13:59:43 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 95D5216A4CE for ; Wed, 30 Jun 2004 13:59:43 +0000 (GMT) Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id BFC5F43D4C for ; Wed, 30 Jun 2004 13:59:42 +0000 (GMT) (envelope-from andrew@scoop.co.nz) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.8p2/8.12.8) with ESMTP id i5UDxPGe087151; Thu, 1 Jul 2004 01:59:25 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Date: Thu, 1 Jul 2004 01:59:25 +1200 (NZST) From: Andrew McNaughton To: Dave In-Reply-To: <20040629174641.N47396@metafocus.net> Message-ID: <20040701015509.L3236@a2.scoop.co.nz> References: <200406282221.i5SMLMA06797@giganda.komkon.org> <20040629174641.N47396@metafocus.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.4 (a2.scoop.co.nz [127.0.0.1]); Thu, 01 Jul 2004 01:59:26 +1200 (NZST) X-Virus-Scanned: clamd / ClamAV version 0.73, clamav-milter version 0.73a on a2.scoop.co.nz X-Virus-Status: Clean cc: freebsd-security@freebsd.org Subject: Re: ttyv for local only? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jun 2004 13:59:43 -0000 On Tue, 29 Jun 2004, Dave wrote: > I don't really see a problem here. My mystery logins are actually still > continuing. I'm going to see if I can code a mousetrap to find out who is > doing it. I did a fresh source compile of world from the latest cvsup for > 5.2.1 REL, and ran mergemaster to look for differing startup scripts... > > No luck yet. I wrote down the byte-sizes of sockstat, ps, and getty on a > piece of paper. I'm going to watch them over the next couple of days. md5 sums are generally better for this sort of thing. It's not all that hard to pad a file out to a desired size. Also, see /usr/ports/security/l5 for a minimalist tool which is useful for listing file data including md5 sums, file sizes, permissions, etc. Andrew -- No added Sugar. Not tested on animals. May contain traces of Nuts. If irritation occurs, discontinue use. ------------------------------------------------------------------- Andrew McNaughton Living in a shack in Tasmania andrew@scoop.co.nz Between the bush and the sea Mobile: +61 422 753 792 http://staff.scoop.co.nz/andrew/cv.doc http://www.scoop.co.nz/