On 25 Sep 2002 01:58:57 -0400, "Perry E. Metzger" <perry@piermont.com>
wrote:
> 
> "James K. Lowden" <jklowden@schemamania.org> writes:
> > AFAICT, my ancient 1.4.2 i386 firewall-cum-mailhub went south at 6:04
> > AM
> [...]
> > I didn't realize anything was wrong until 13 hours later, at ~19:00.  
> 
> I'd strongly suggest upgrading to 1.6 by the way. 1.4.2 has more
> security holes than I can name. You're inviting horror.

Acknowledged, thanks.  It's on the todo list, higher now.

> > Is the TOD clock initialized from time information on the root
> > filesystem, or is it possible my system was compromised and tampered
> > with?  
> 
> See sys/arch/i386/isa/clock.c::inittodr()
> 
> Did you ignore the following boot message?
> 
>                 printf("WARNING: clock time much less than file system
>                 time\n"); printf("WARNING: using file system time\n");

Well, no, not as far as I can tell:

# zcat /var/log/messages.* |grep WARN
Sep 24 06:10:56 home root: WARNING: /etc/sendmail.cf not readable; 
sendmail not started.
# cat /var/log/messages |grep WARN
# 

The machine itself is quite new; I doubt the battery is shot.  The
paranoid part of me -- obviously not very big, or I would already have
heeded your strong advice -- is disconcerted: it leads me to think the
system clock had been reset, something I definitely didn't do.  OTOH, it
might be I wasn't paying close attention; there are no messages from ntpd
in /var/log/message* going back to 15 September.  Still, 12 hours of
drift?  That's a lot of drift and a lot not to notice.  

Thanks for the reply.

--jkl