"James K. Lowden" <jklowden@schemamania.org> writes:
> AFAICT, my ancient 1.4.2 i386 firewall-cum-mailhub went south at 6:04 AM
[...]
> I didn't realize anything was wrong until 13 hours later, at ~19:00.  

I'd strongly suggest upgrading to 1.6 by the way. 1.4.2 has more
security holes than I can name. You're inviting horror.

> What puzzles me is that on restarting, the system still thought it was
> 6:04 (or so).  I killed ntpd, ran date(1) to approximate the time,
> ntpdate(8) to fix it, and restarted ntpd.  
> 
> Is the TOD clock initialized from time information on the root filesystem,
> or is it possible my system was compromised and tampered with?  

See sys/arch/i386/isa/clock.c::inittodr()

The first comment in the function tells the story:

        /*
         * We mostly ignore the suggested time (which comes from the
         * file system) and go for the RTC clock time stored in the
         * CMOS RAM.  If the time can't be obtained from the CMOS, or
         * if the time obtained from the CMOS is 5 or more years less
         * than the suggested time, we used the suggested time.  (In
         * the latter case, it's likely that the CMOS battery has
         * died.)
         */

Did you ignore the following boot message?

                printf("WARNING: clock time much less than file system time\n");
                printf("WARNING: using file system time\n");


-- 
Perry E. Metzger		perry@piermont.com