system breach
gareth
bsd at lordcow.org
Fri Dec 29 07:59:29 PST 2006
On Thu 2006-12-28 (22:10), David Todd wrote:
> something's up, nothing in ports will write to a /tmp/download
> directory, so either you or someone with root access did it.
thought as much :/
> I suggest:
> checking /var/log/auth.log for attempted breachings
i had a rough skim and nothing suspicious, wanted to know when this
happened so i could scrutinise the logs better.
> run sockstat and look for processes with ports open that shouldn't
> have ports open.
thx, had a look at that and netstat etc, everything's normal.
> conftest cores ususally mean a ./configure was issued and parts of
> said configure failed, them being so far apart suggests that some work
> was done to the configure script to fix it.
>
> If you didn't install anything from ports at or around those periods
> of time, then someone was running a configure script to build
> something on the machine.
ah. it could very well have been me, was compiling a lot've stuff
around those 2 days. doesn't seem like portupgrade etc keeps logs
to check.
More information about the freebsd-stable
mailing list