From owner-freebsd-stable@FreeBSD.ORG Fri Dec 29 20:39:23 2006 Return-Path: X-Original-To: stable@freebsd.org Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 63A1816A40F for ; Fri, 29 Dec 2006 20:39:23 +0000 (UTC) (envelope-from bsd@lordcow.org) Received: from mail.uct.ac.za (mail.uct.ac.za [137.158.128.3]) by mx1.freebsd.org (Postfix) with ESMTP id 0781213C468 for ; Fri, 29 Dec 2006 20:39:23 +0000 (UTC) (envelope-from bsd@lordcow.org) Received: from lhc.phy.uct.ac.za ([137.158.37.93]) by mail.uct.ac.za with esmtp (Exim 4.44 (FreeBSD)) id 1H0OVd-000L4o-T7 for stable@freebsd.org; Fri, 29 Dec 2006 22:39:21 +0200 Received: from lordcow by lhc.phy.uct.ac.za with local (Exim 4.63) (envelope-from ) id 1H0OVQ-0001aE-Ey for stable@freebsd.org; Fri, 29 Dec 2006 22:39:08 +0200 Date: Fri, 29 Dec 2006 22:39:08 +0200 From: gareth To: stable@freebsd.org Message-ID: <20061229203908.GA6029@lordcow.org> Mail-Followup-To: stable@freebsd.org References: <20061228231226.GA16587@lordcow.org> <20061229155845.GA1266@lordcow.org> <45954196.9040909@saeab.se> <20061229173916.GA3196@lordcow.org> <45956307.4090403@saeab.se> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <45956307.4090403@saeab.se> User-Agent: Mutt/1.5.13 (2006-08-11) Cc: Subject: Re: system breach X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Dec 2006 20:39:23 -0000 On Fri 2006-12-29 (19:48), Thomas Nystr?m wrote: > It looks like this: > > ture(root)# dir > total 50 > drwxrwxr-x 5 root wheel 512 29 Aug 16:29 ./ > drwxrwxrwt 11 root wheel 3072 29 Dec 19:35 ../ > drwxrwxr-x 4 root wheel 512 29 Aug 16:29 Archive_Tar-1.3.1/ > drwxrwxr-x 3 root wheel 512 29 Aug 16:29 Console_Getopt-1.2/ > drwxrwxr-x 3 root wheel 512 29 Aug 16:29 XML_RPC-1.5.0/ > -rw-rw-r-- 1 root wheel 15433 12 Jul 02:09 package.xml > -rw-rw-r-- 1 root wheel 22193 12 Jul 02:09 package2.xml snap ;) package*.xml are also "12 Jul 02:09" > Exactly which port that did this is hard to tell. I have around > 130 ports installed and most of them were updated 29:th Aug. > I have looked at the files that exists in these directories > and according to the +CONTENTS files in /var/db/pkg all is claimed > to belong to pear-1.4.11 so that might be a candidate..... ah yes, well played, md5's match too.