4203:31337 (possible exploit?)
Kris Kennaway
kris at FreeBSD.org
Sat Nov 10 12:40:22 PST 2007
Mike -freebsd wrote:
> On Nov 10, 2007 5:28 PM, Kris Kennaway <kris at freebsd.org> wrote:
>
>>> Sounds like you may have a security problem (re: "31337" GID). If
>>> that's the case, I would strongly advocate formatting + reinstalling
>>> those machines.
>> I asked because that is the uid/gid used on pointyhat ;)
>>
>> Kris
>>
>>
> Well, I've dug up all available backups and what I can tell is that
> those uid/gid propagated with the rest of the ports tree from a main
> box used here for builds, installations and updates to the whole
> network. Stupid me had weekly noid reports disabled on all of them,
> except the last one added recently that finally caught it. The problem
> was there present for at least three, possibly four months...
>
> BUT I'm 95% sure that the main ports three was never downloaded via
> anything else than c[v]sup + supfile with default host set to eiter
> ftp.freebsd.org, or one of the official mirrors, for a past few years.
> I wish I could tell you more, but I see nothing even remotely
> connected to pointyhat, as there is no point of using any other than
> official ports repo for productional machines. OTOH, you wont believe
> how glad I was to hear that those are pointyhat IDs.. The "31337"
> scared the shit ot of me :(
Well the only possibility I can think of is if you installed from a
ports.tar.gz downloaded from the FTP site, and extracted with the tar -p
option that preserves ownership. Actually that doesn't make sense
either because that tarball isn't sourced from pointyhat anyway. In
case it jogs any memories, 4203 is the uid used for managing the sparc64
package builds (and gid 31337 is for portmgr ;-).
Kris
More information about the freebsd-ports
mailing list