Date: Fri, 20 Jul 2001 21:01:38 -0500 From: Mike Meyer <mwm@mired.org> To: "Chad R. Larson" <chad@DCFinc.com> Cc: Chris Faulhaber <jedgar@fxp.org>, Tom <tom@uniserve.com>, admin@kremilek.gyrec.cz, freebsd-stable@FreeBSD.ORG Subject: Re: probably remote exploit Message-ID: <15192.57986.777597.940024@guru.mired.org> In-Reply-To: <20010720140331.A12903@freeway.dcfinc.com> References: <Pine.LNX.3.96.1010720174942.651C-100000@kremilek.gyrec.cz> <Pine.BSF.4.10.10107200923060.4917-100000@athena.uniserve.ca> <20010720111551.A12442@freeway.dcfinc.com> <20010720141820.C47930@peitho.fxp.org> <20010720140331.A12903@freeway.dcfinc.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Chad R. Larson <chad@DCFinc.com> types: > On Fri, Jul 20, 2001 at 02:18:20PM -0400, Chris Faulhaber wrote: > > On Fri, Jul 20, 2001 at 11:15:51AM -0700, Chad R. Larson wrote: > >> On Fri, Jul 20, 2001 at 09:24:20AM -0700, Tom wrote: > >>> There are known problems wiht ntpd, which you seem to be using. There > >>> is also a local exploit in 4.3-RELEASE. You should be on the > >>> freebsd-security mailing list, and you should be checking the archives > >>> of that list first. > >> Also, to be sure no one installed any backdoors, you might want to > >> do a CVSup/buildworld/installworld cycle. > > unless, of course, they trojaned the build tools :/ a full reinstall > > is the best bet. > Yes, but the CVSup will notice if any of the sources don't match the > repository, and the subsequent buildworld will regenerate all the > binaries. As Brandon pointed out, CVSup being compromised will break that. If the build tools are compromised by someone who has read Thompson's 1984 speech "Reflections on trusting trust" at <URL: http://users.neca.com/seshipma/cst220/k_thompson/index.html > then even rebuilding the world from known good sources will just rebuild compromised binaries. The bottom line is that you need to do the cvsup/buildworld/installworld with binaries that you trust. That means either ones that were checksummed before the break-in, or ones off a release cdrom. <mike -- Mike Meyer <mwm@mired.org> http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15192.57986.777597.940024>