Date: Wed, 06 Jul 2005 10:42:29 -0600 From: Brett Glass <brett@lariat.org> To: questions@freebsd.org Subject: Has this box been hacked? Message-ID: <6.2.1.2.2.20050706104045.0931c6b0@localhost>
next in thread | raw e-mail | index | archive | help
A client had a network problem, and I wanted to make sure that his FreeBSD 4.11 router wasn't the cause of it, so I rebooted it. I then did a "last" command and saw the following: root ttyv0 Tue Jul 5 12:01 - 12:05 (00:04) admin ttyp0 localhost Tue Jul 5 11:57 - 11:57 (00:00) root ttyv0 Tue Jul 5 11:49 - 12:00 (00:11) reboot ~ Tue Jul 5 11:49 shutdown ~ Tue Jul 5 11:47 root ttyv0 Tue Jul 5 11:37 - shutdown (00:10) reboot ~ Tue Jul 5 11:36 shutdown ~ Tue Jul 5 05:36 shutdown ~ Tue Jul 5 11:22 Note the "shutdown" entry with the time 5:36 AM, which is odd because it's out of chronological order and the other logs don't show the typical debug messages at that time. Where might such an entry come from? How likely is it that the box has been rooted? Are there known exploits that might have been used to root a FreeBSD 4.11-RELEASE machine? (The only unusual activity I can see in the logs is a few attempts to log in as "root" via SSH. The attempts that were logged were not successful, but of course a skilled attacker would cover his tracks.) --Brett
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.2.1.2.2.20050706104045.0931c6b0>