From owner-freebsd-questions@FreeBSD.ORG  Wed Jul  6 16:42:12 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: questions@freebsd.org
Delivered-To: freebsd-questions@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1BAEE16A41C
	for <questions@freebsd.org>; Wed,  6 Jul 2005 16:42:12 +0000 (GMT)
	(envelope-from brett@lariat.org)
Received: from lariat.org (lariat.net [65.122.236.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 522A243D4C
	for <questions@freebsd.org>; Wed,  6 Jul 2005 16:42:11 +0000 (GMT)
	(envelope-from brett@lariat.org)
Received: from Anonymous.lariat.org (IDENT:ppp1000.lariat.net@lariat.net
	[65.122.236.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id KAA12733
	for <questions@freebsd.org>; Wed, 6 Jul 2005 10:42:08 -0600 (MDT)
X-message-flag: Warning! Use of Microsoft Outlook renders your system
	susceptible to Internet worms.
Message-Id: <6.2.1.2.2.20050706104045.0931c6b0@localhost>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.1.2
Date: Wed, 06 Jul 2005 10:41:56 -0600
To: questions@freebsd.org
From: Brett Glass <brett@lariat.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: 
Subject: Has this box been hacked?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jul 2005 16:42:12 -0000

A client had a network problem, and I wanted to make sure that his FreeBSD 4.11 
router wasn't the cause of it, so I rebooted it. I then did a "last" command 
and saw the following:

root             ttyv0                     Tue Jul  5 12:01 - 12:05  (00:04)
admin            ttyp0    localhost        Tue Jul  5 11:57 - 11:57  (00:00)
root             ttyv0                     Tue Jul  5 11:49 - 12:00  (00:11)
reboot           ~                         Tue Jul  5 11:49
shutdown         ~                         Tue Jul  5 11:47
root             ttyv0                     Tue Jul  5 11:37 - shutdown  (00:10)
reboot           ~                         Tue Jul  5 11:36
shutdown         ~                         Tue Jul  5 05:36
shutdown         ~                         Tue Jul  5 11:22

Note the "shutdown" entry with the time 5:36 AM, which is odd because it's out of 
chronological order and the other logs don't show the typical debug messages
at that time. Where might such an entry come from? How likely is it that the box
has been rooted? Are there known exploits that might have been used to root a
FreeBSD 4.11-RELEASE machine? (The only unusual activity I can see in the logs is a 
few attempts to log in as "root" via SSH. The attempts that were logged were
not successful, but of course a skilled attacker would cover his tracks.)

--Brett