From owner-freebsd-stable@FreeBSD.ORG Fri Dec 29 18:48:32 2006 Return-Path: X-Original-To: stable@freebsd.org Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6261D16A412 for ; Fri, 29 Dec 2006 18:48:32 +0000 (UTC) (envelope-from thn@saeab.se) Received: from saeab.se (ture.saeab.se [213.80.3.133]) by mx1.freebsd.org (Postfix) with ESMTP id BD11413C45A for ; Fri, 29 Dec 2006 18:48:31 +0000 (UTC) (envelope-from thn@saeab.se) Received: from scatcat.thn.saeab.se (vpn-thn.int.saeab.se [10.0.4.43]) by saeab.se (8.13.6/8.13.6) with ESMTP id kBTImPtD022253; Fri, 29 Dec 2006 19:48:25 +0100 (CET) (envelope-from thn@saeab.se) Received: from [10.1.0.1] (home [10.1.0.1]) by scatcat.thn.saeab.se (8.13.8/8.13.8) with ESMTP id kBTImPdK008026; Fri, 29 Dec 2006 19:48:25 +0100 (CET) (envelope-from thn@saeab.se) Message-ID: <45956307.4090403@saeab.se> Date: Fri, 29 Dec 2006 19:48:39 +0100 From: =?ISO-8859-1?Q?Thomas_Nystr=F6m?= Organization: Svensk Aktuell Elektronik AB User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: gareth References: <20061228231226.GA16587@lordcow.org> <20061229155845.GA1266@lordcow.org> <45954196.9040909@saeab.se> <20061229173916.GA3196@lordcow.org> In-Reply-To: <20061229173916.GA3196@lordcow.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.1.4 X-Spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-25) on ture.saeab.se X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (saeab.se [10.0.1.133]); Fri, 29 Dec 2006 19:48:30 +0100 (CET) Cc: stable@freebsd.org Subject: Re: system breach X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Dec 2006 18:48:32 -0000 gareth wrote: > On Fri 2006-12-29 (17:25), Thomas Nystr?m wrote: > >>I just checked one of my servers and also found a /tmp/download >>directory with the same files that you had. >> >>I then compared the timestamp of /tmp/download with the timestamp >>of the directories in /var/db/pkg: Same. >> >>My conclusion is that during a portupgrade these files were written >>there, directly or indirectly by portupgrade or the port itself. > > > oh. ok. well even though that's weird behaviour from a package it's > more plausible since i haven't found anything else suspicious. are > the timestamps exactly the same? i have 4 packages that're 20 minutes > different. which of yours are the same? or was that for all files. > (since i'd like to try an reproduce it). It looks like this: ture(root)# dir total 50 drwxrwxr-x 5 root wheel 512 29 Aug 16:29 ./ drwxrwxrwt 11 root wheel 3072 29 Dec 19:35 ../ drwxrwxr-x 4 root wheel 512 29 Aug 16:29 Archive_Tar-1.3.1/ drwxrwxr-x 3 root wheel 512 29 Aug 16:29 Console_Getopt-1.2/ drwxrwxr-x 3 root wheel 512 29 Aug 16:29 XML_RPC-1.5.0/ -rw-rw-r-- 1 root wheel 15433 12 Jul 02:09 package.xml -rw-rw-r-- 1 root wheel 22193 12 Jul 02:09 package2.xml Exactly which port that did this is hard to tell. I have around 130 ports installed and most of them were updated 29:th Aug. I have looked at the files that exists in these directories and according to the +CONTENTS files in /var/db/pkg all is claimed to belong to pear-1.4.11 so that might be a candidate..... /thn -- --------------------------------------------------------------- Svensk Aktuell Elektronik AB Thomas Nyström Box 10 Phone: +46 8 35 92 85 S-191 21 Sollentuna Fax: +46 8 35 92 86 Sweden Email: thn@saeab.se ---------------------------------------------------------------