system breach
Thomas Nyström
thn at saeab.se
Fri Dec 29 10:48:32 PST 2006
gareth wrote:
> On Fri 2006-12-29 (17:25), Thomas Nystr?m wrote:
>
>>I just checked one of my servers and also found a /tmp/download
>>directory with the same files that you had.
>>
>>I then compared the timestamp of /tmp/download with the timestamp
>>of the directories in /var/db/pkg: Same.
>>
>>My conclusion is that during a portupgrade these files were written
>>there, directly or indirectly by portupgrade or the port itself.
>
>
> oh. ok. well even though that's weird behaviour from a package it's
> more plausible since i haven't found anything else suspicious. are
> the timestamps exactly the same? i have 4 packages that're 20 minutes
> different. which of yours are the same? or was that for all files.
> (since i'd like to try an reproduce it).
It looks like this:
ture(root)# dir
total 50
drwxrwxr-x 5 root wheel 512 29 Aug 16:29 ./
drwxrwxrwt 11 root wheel 3072 29 Dec 19:35 ../
drwxrwxr-x 4 root wheel 512 29 Aug 16:29 Archive_Tar-1.3.1/
drwxrwxr-x 3 root wheel 512 29 Aug 16:29 Console_Getopt-1.2/
drwxrwxr-x 3 root wheel 512 29 Aug 16:29 XML_RPC-1.5.0/
-rw-rw-r-- 1 root wheel 15433 12 Jul 02:09 package.xml
-rw-rw-r-- 1 root wheel 22193 12 Jul 02:09 package2.xml
Exactly which port that did this is hard to tell. I have around
130 ports installed and most of them were updated 29:th Aug.
I have looked at the files that exists in these directories
and according to the +CONTENTS files in /var/db/pkg all is claimed
to belong to pear-1.4.11 so that might be a candidate.....
/thn
--
---------------------------------------------------------------
Svensk Aktuell Elektronik AB Thomas Nyström
Box 10 Phone: +46 8 35 92 85
S-191 21 Sollentuna Fax: +46 8 35 92 86
Sweden Email: thn at saeab.se
---------------------------------------------------------------
More information about the freebsd-stable
mailing list