Re: system breach

gareth wrote:
On Thu 2006-12-28 (22:10), David Todd wrote:

something's up, nothing in ports will write to a /tmp/download
directory, so either you or someone with root access did it.

I just checked one of my servers and also found a /tmp/download
directory with the same files that you had.

I then compared the timestamp of /tmp/download with the timestamp
of the directories in /var/db/pkg: Same.

My conclusion is that during a portupgrade these files were written
there, directly or indirectly by portupgrade or the port itself.

About two years ago I cleaned up a system that really had a
system breach (through some php-based webapplication). I could
then find a directory in /tmp owned by www that contains a
complete distribution with configurescript and the result of the
build. This /tmp/download doesn't look like that at all.

/thn

--
---------------------------------------------------------------
Svensk Aktuell Elektronik AB Thomas Nyström
Box 10 Phone: +46 8 35 92 85
S-191 21 Sollentuna Fax: +46 8 35 92 86
Sweden Email: thn@xxxxxxxx
---------------------------------------------------------------
_______________________________________________
freebsd-stable@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: system breach
    ... I then compared the timestamp of /tmp/download with the timestamp ... My conclusion is that during a portupgrade these files were written ... well even though that's weird behaviour from a package it's ... Exactly which port that did this is hard to tell. ...
    (freebsd-stable)
  • Re: system breach
    ... I then compared the timestamp of /tmp/download with the timestamp ... My conclusion is that during a portupgrade these files were written ... well even though that's weird behaviour from a package it's ... (since i'd like to try an reproduce it). ...
    (freebsd-stable)