From owner-freebsd-questions@FreeBSD.ORG  Sat May 10 21:01:15 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 12DDF1065671
	for <freebsd-questions@freebsd.org>;
	Sat, 10 May 2008 21:01:15 +0000 (UTC)
	(envelope-from fbsd.questions@rachie.is-a-geek.net)
Received: from snoogles.rachie.is-a-geek.net (rachie.is-a-geek.net
	[66.230.99.27]) by mx1.freebsd.org (Postfix) with ESMTP id CE7228FC17
	for <freebsd-questions@freebsd.org>;
	Sat, 10 May 2008 21:01:14 +0000 (UTC)
	(envelope-from fbsd.questions@rachie.is-a-geek.net)
Received: from localhost (localhost [127.0.0.1])
	by snoogles.rachie.is-a-geek.net (Postfix) with ESMTP id DBB291CD4A;
	Sat, 10 May 2008 13:01:13 -0800 (AKDT)
From: Mel <fbsd.questions@rachie.is-a-geek.net>
To: freebsd-questions@freebsd.org,
 dennis_flynn@yahoo.com
Date: Sat, 10 May 2008 23:00:41 +0200
User-Agent: KMail/1.9.7
References: <812883.11120.qm@web54010.mail.re2.yahoo.com>
In-Reply-To: <812883.11120.qm@web54010.mail.re2.yahoo.com>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200805102300.41775.fbsd.questions@rachie.is-a-geek.net>
Cc: 
Subject: Re: root login stops working
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 10 May 2008 21:01:15 -0000

On Saturday 10 May 2008 20:50:46 Dennis Flynn wrote:
> I'm running FreeBSD wx.dennis-flynn.net 7.0-RELEASE FreeBSD 7.0-RELEASE #0:
> Sun Feb 24 19:59:52 UTC 2008    
> root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
>
> About a day after install root login no longer works - even on the console.
>
> I see the following in /var/log/auth.log:
> May 10 14:22:37 wx sshd[86223]: Accepted password for root from
> 10.11.12.104 port 1492 ssh2 May 10 14:22:37 wx sshd[86223]: Received
> disconnect from 10.11.12.104: 0:
>
> And in /var/log/messages:
> May 10 14:27:51 wx kernel: pid 86237 (csh), uid 0: exited on signal 11
> (core dumped)

Looks like you got hacked, the tell-tale being "ip port ####".
http://security.freebsd.org/advisories/FreeBSD-SA-08:05.openssh.asc

-- 
Mel

Problem with today's modular software: they start with the modules
    and never get to the software part.