From owner-freebsd-chat@FreeBSD.ORG Tue Dec 10 06:19:50 2013 Return-Path: Delivered-To: freebsd-chat@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 508F78C4 for ; Tue, 10 Dec 2013 06:19:50 +0000 (UTC) Received: from mail24c25-2209.carrierzone.com (mail24c25.carrierzone.com [64.29.147.34]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id F0C5116CD for ; Tue, 10 Dec 2013 06:19:49 +0000 (UTC) X-Authenticated-User: jcw.speakeasy.net Received: from w16.stradamotorsports.com (s6.stradamotorsports.com [64.81.163.124]) (authenticated bits=0) by mail24c25-2209.carrierzone.com (8.13.6/8.13.1) with ESMTP id rBA6B9Y5022571 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Tue, 10 Dec 2013 06:11:11 +0000 Message-ID: <52A6B07C.5050606@speakeasy.net> Date: Mon, 09 Dec 2013 22:11:08 -0800 From: "Jason C. Wells" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130812 Thunderbird/17.0.8 MIME-Version: 1.0 To: fbsd_chat Subject: Rooted Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-CSC: 0 X-CHA: v=2.1 cv=BLWK8jgG c=1 sm=1 tr=0 a=R97Ob3vzpY6jDyx3VIOVtw==:117 a=R97Ob3vzpY6jDyx3VIOVtw==:17 a=h5IuLSp0AAAA:8 a=g0qM3YM6AAAA:8 a=cQP-bbU9IPcA:10 a=A8LQOh1NFgIA:10 a=8nJEP1OIZ-IA:10 a=eVbW6KzvAAAA:8 a=_CIdZ9MoLuPrAusF7MEA:9 a=wPNLvfGTeEIA:10 X-CTCH-RefID: str=0001.0A020201.52A6B07F.00B9, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0 X-CTCH-VOD: Unknown X-CTCH-Spam: Unknown X-CTCH-Score: 0.000 X-CTCH-Rules: X-CTCH-Flags: 0 X-CTCH-ScoreCust: 0.000 X-BeenThere: freebsd-chat@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Non technical items related to the community List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Dec 2013 06:19:50 -0000 For the second time in my life I've been rooted. I found a barbut.bsd.core file and a talkng file in my /root directory. Barbut is some sort of binary that a webserver hack seems to download and run after a broken module provides access. That's bothersome enough. But the very bothersome part is that I do not run any services on this box beyond what is needed to provide packet filtering and ftp-proxy. I have all accounts disabled. I only login after booting to single user mode on the console. I'm looking at the security advisories and I don't see one that seems to apply to my 8.2 system in my configuration. So, short of an exploit in the network stack, pf, and ftp-proxy, what is a possible attack vector? Regarding the security advisory lingo, does "unprivileged user" mean a remote attacker? Most (all?) of the advisories seem to involve local exploits or exploitable services. Regards, Jason C. Wells