system breach

gareth bsd at
Fri Dec 29 07:59:29 PST 2006

On Thu 2006-12-28 (22:10), David Todd wrote:
> something's up, nothing in ports will write to a /tmp/download
> directory, so either you or someone with root access did it.

thought as much :/

> I suggest:
> checking /var/log/auth.log for attempted breachings

i had a rough skim and nothing suspicious, wanted to know when this
happened so i could scrutinise the logs better.

> run sockstat and look for processes with ports open that shouldn't
> have ports open.

thx, had a look at that and netstat etc, everything's normal.

> conftest cores ususally mean a ./configure was issued and parts of
> said configure failed, them being so far apart suggests that some work
> was done to the configure script to fix it.
> If you didn't install anything from ports at or around those periods
> of time, then someone was running a configure script to build
> something on the machine.

ah. it could very well have been me, was compiling a lot've stuff
around those 2 days. doesn't seem like portupgrade etc keeps logs
to check.

More information about the freebsd-stable mailing list