Date: Fri, 29 Dec 2006 17:58:45 +0200 From: gareth <bsd@lordcow.org> To: stable@freebsd.org Subject: Re: system breach Message-ID: <20061229155845.GA1266@lordcow.org> In-Reply-To: <b91012310612282010m22a6bbdbp97bf7bdecca1530@mail.gmail.com> References: <20061228231226.GA16587@lordcow.org> <b91012310612282010m22a6bbdbp97bf7bdecca1530@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu 2006-12-28 (22:10), David Todd wrote: > something's up, nothing in ports will write to a /tmp/download > directory, so either you or someone with root access did it. thought as much :/ > I suggest: > checking /var/log/auth.log for attempted breachings i had a rough skim and nothing suspicious, wanted to know when this happened so i could scrutinise the logs better. > run sockstat and look for processes with ports open that shouldn't > have ports open. thx, had a look at that and netstat etc, everything's normal. > conftest cores ususally mean a ./configure was issued and parts of > said configure failed, them being so far apart suggests that some work > was done to the configure script to fix it. > > If you didn't install anything from ports at or around those periods > of time, then someone was running a configure script to build > something on the machine. ah. it could very well have been me, was compiling a lot've stuff around those 2 days. doesn't seem like portupgrade etc keeps logs to check.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061229155845.GA1266>