From owner-freebsd-stable Fri Jul 20 11:28:30 2001 Delivered-To: freebsd-stable@freebsd.org Received: from mail2.uniserve.com (mail2.uniserve.com [204.244.156.10]) by hub.freebsd.org (Postfix) with ESMTP id 7711637B406 for ; Fri, 20 Jul 2001 11:28:26 -0700 (PDT) (envelope-from tom@uniserve.com) Received: from mail2.uniserve.com ([204.244.156.10]) by mail2.uniserve.com with esmtp (Exim 3.13 #1) id 15Nf0T-000EyO-00; Fri, 20 Jul 2001 11:28:09 -0700 Date: Fri, 20 Jul 2001 11:28:09 -0700 (PDT) From: Tom X-Sender: tom@athena.uniserve.ca To: "Chad R. Larson" Cc: admin@kremilek.gyrec.cz, freebsd-stable@FreeBSD.ORG Subject: Re: probably remote exploit In-Reply-To: <20010720111551.A12442@freeway.dcfinc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, 20 Jul 2001, Chad R. Larson wrote: > On Fri, Jul 20, 2001 at 09:24:20AM -0700, Tom wrote: > > There are known problems wiht ntpd, which you seem to be using. There > > is also a local exploit in 4.3-RELEASE. You should be on the > > freebsd-security mailing list, and you should be checking the archives > > of that list first. > > Also, to be sure no one installed any backdoors, you might want to > do a CVSup/buildworld/installworld cycle. But if a backdoor is installed, you can't trust cvsup, or make either. Any binary could have been tampered with. For instance, I would make a backdoor make that would detect that an installworld is underway, and always make sure that a backdoored copy of of "login" and another copy of "make". Tom To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message