From owner-freebsd-security  Tue Feb  5 10:17:55 2002
Delivered-To: freebsd-security@freebsd.org
Received: from void.xpert.com (xpert.com [199.203.132.1])
	by hub.freebsd.org (Postfix) with ESMTP id EABD337B41A
	for <freebsd-security@freebsd.org>; Tue,  5 Feb 2002 10:17:41 -0800 (PST)
Received: from mailserv.xpert.com ([199.203.132.135])
	by void.xpert.com with esmtp (Exim 3.22 #1)
	id 16YA7p-0001uH-00; Tue, 05 Feb 2002 20:15:25 +0200
Received: by mailserv.xpert.com with Internet Mail Service (5.5.2650.21)
	id <CZLFXMA6>; Tue, 5 Feb 2002 20:17:29 +0200
Message-ID: <EB513E68D3F5D41191CA000255588101B4379A@mailserv.xpert.com>
From: Yonatan Bokovza <Yonatan@xpert.com>
To: 'Alfred Perlstein' <bright@mu.org>,
	Victor Grey <victor@customdynamic.net>
Cc: freebsd-security@freebsd.org
Subject: RE: Is this evidence of a break-in attempt?
Date: Tue, 5 Feb 2002 20:17:28 +0200 
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: text/plain;
	charset="iso-8859-1"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

> -----Original Message-----
> From: Alfred Perlstein [mailto:bright@mu.org]
> Sent: Tuesday, February 05, 2002 20:05
> To: Victor Grey
> Cc: freebsd-security@freebsd.org
> Subject: Re: Is this evidence of a break-in attempt?
> 
> 
> * Victor Grey <victor@customdynamic.net> [020205 09:53] wrote:
> > I have a server co-located at a data center, running 
> FreeBSD 4.4 release.
> > According to /var/log/messages it rebooted itself at one 
> minute before
> > midnight the night before last, and then (I think that's 
> what the lines in
> > messages mean) discovered a mouse attached as it booted up. 
> Then at 43
> > minutes past midnight there were six login failures, three 
> as root. (Running
> > tripwire yesterday morning showed nothing suspicious.)
> > 
> > Well - there shouldn't be any mouse attached, it's a 
> headless server.
> > Furthermore, if I understand it correctly, a login failure 
> at ttyv0 means it
> > happened at the local console -- not a remote break-in 
> attempt over the
> > network.
> 
> [snip]
> 
> Sure looks like someone was trying something, most likely a result

<snip>

I agree. If you'd include the whole dmesg and the output of
find / -atime <number_of_days_since_the_alleged_attack> -ls

 
> "OH!!! I just remebered, we got those delievered on saturday, they
>  weren't supposed to be powered on yet and they're stealing our main
>  server's IP address!"
> 
> "Oh, what do I do?"
> 
> "Well I need you to remove the power cables from all the boxes."
> 
> "All five hundred of them?"
> 
> "YES! and call me back when you're done."
> 
> "Ok" *click*

Presenting: "Perlstein. Alfred Perlstein! BOFH!!" ;-)

Reagrds,
Yonatan.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message