From owner-freebsd-security  Wed Feb  6  5:20: 2 2002
Delivered-To: freebsd-security@freebsd.org
Received: from joule.excelsus.com (joule.excelsus.net [209.96.190.225])
	by hub.freebsd.org (Postfix) with ESMTP id EB51A37B423
	for <freebsd-security@FreeBSD.ORG>; Wed,  6 Feb 2002 05:19:53 -0800 (PST)
Received: from joule.excelsus.com (localhost [127.0.0.1])
	by joule.excelsus.com (8.12.1/8.12.1) with ESMTP id g16DJFRt056802;
	Wed, 6 Feb 2002 08:19:16 -0500 (EST)
Received: from localhost (weldon@localhost)
	by joule.excelsus.com (8.12.1/8.12.1/Submit) with ESMTP id g16DJFgq056799;
	Wed, 6 Feb 2002 08:19:15 -0500 (EST)
Date: Wed, 6 Feb 2002 08:19:15 -0500 (EST)
From: Weldon S Godfrey 3 <weldon@excelsus.com>
To: Brett Glass <brett@lariat.org>
Cc: Victor Grey <victor@customdynamic.net>,
	<freebsd-security@FreeBSD.ORG>
Subject: Re: Is this evidence of a break-in attempt?
In-Reply-To: <4.3.2.7.2.20020205125336.02758450@localhost>
Message-ID: <Pine.BSF.4.44.0202060816280.56746-100000@joule.excelsus.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


Good point.

I recommend that any box placed into a colo or a location that the
security isn't under your direct control to mark your console as
"insecure" in /etc/ttys so that root password will be asked when someone
boots into single user mode.

Weldon

If memory serves me right, sometime around Yesterday, Brett Glass told me:

> In a word, yes. Looks like they went to the box with a
> keyboard and a mouse, rebooted, and tried to log in.
> Clearly, they were so clueless that they did not know
> about single-user mode.
>
> --Brett
>
> At 10:50 AM 2/5/2002, Victor Grey wrote:
>
> -----------------------------
> >Feb  3 23:56:20 p2 syslogd: exiting on signal 15
> ><snip>
> >Feb  3 23:58:59 p2 /kernel: FreeBSD 4.4-RELEASE-p2 #0: Wed Dec 26 12:01:30
> >PST 2001
> ><snip>
> >Feb  3 23:59:00 p2 /kernel: psm0: <PS/2 Mouse> irq 12 on atkbdc0
> >Feb  3 23:59:00 p2 /kernel: psm0: model Generic PS/2 mouse, device ID 0
> ><snip>
> >Feb  4 00:43:38 p2 login: 3 LOGIN FAILURES ON ttyv0
> >Feb  4 00:43:38 p2 login: 3 LOGIN FAILURES ON ttyv0, root
> >-----------------------------
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message