4203:31337 (possible exploit?)
Kris Kennaway
kris at FreeBSD.org
Sat Nov 10 08:28:49 PST 2007
Jeremy Chadwick wrote:
> On Sat, Nov 10, 2007 at 03:25:57PM +0100, Mike -freebsd wrote:
>> Guys, is anyone else seeing this?
>> drwxr-xr-x 69 4203 31337 1536 Nov 9 13:59 ports
>>
>> I see this on three of four FreeBSD 7 boxes and only on /usr/ports/
>> (why...?). Anyone else?
>
> Four different boxes of ours:
>
> $ uname -r && ls -ld /usr/ports
> 6.2-STABLE
> drwxr-xr-x 69 root wheel 2048 10 Nov 02:14 /usr/ports/
>
> $ uname -r && ls -ld /usr/ports
> 6.3-PRERELEASE
> drwxr-xr-x 69 root wheel 1536 10 Nov 02:12 /usr/ports/
>
> $ uname -r && ls -ld /usr/ports
> 7.0-PRERELEASE
> drwxr-xr-x 69 root wheel 1536 7 Nov 02:24 /usr/ports/
>
> $ uname -r && ls -ld /usr/ports
> 7.0-BETA2
> drwxr-xr-x 69 root wheel 1536 10 Nov 02:19 /usr/ports/
>
> Sounds like you may have a security problem (re: "31337" GID). If
> that's the case, I would strongly advocate formatting + reinstalling
> those machines.
I asked because that is the uid/gid used on pointyhat ;)
Kris
More information about the freebsd-ports
mailing list