From owner-freebsd-questions@FreeBSD.ORG Thu Jul 7 05:56:06 2005 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA33216A41C for ; Thu, 7 Jul 2005 05:56:06 +0000 (GMT) (envelope-from tedm@toybox.placo.com) Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [65.75.192.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 81E6943D48 for ; Thu, 7 Jul 2005 05:56:06 +0000 (GMT) (envelope-from tedm@toybox.placo.com) Received: from tedwin2k (nat-rtr.freebsd-corp-net-guide.com [65.75.197.130]) by mail.freebsd-corp-net-guide.com (8.11.1/8.11.1) with SMTP id j675vFb06501; Wed, 6 Jul 2005 22:57:15 -0700 (PDT) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "Brett Glass" , Date: Wed, 6 Jul 2005 22:56:00 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1478 In-Reply-To: <6.2.1.2.2.20050706104045.0931c6b0@localhost> Importance: Normal Cc: Subject: RE: Has this box been hacked? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2005 05:56:07 -0000 Sure, FreeBSD 4.11 is very easy for a remote attacker to root. All you need to do is let a user on it setup some convenient password like the word "password" for the root user, and use the same on an easy-to-remember userID like "sam" or "bob", then put a DNS entry in for it like "porno-pictures.example.com" and post that on a popular website and it shouldn't take but a few days for it to get rooted. Other than that, give me a break, Brett. If this is a router and an out of the box install then there's no services turned on that can be rooted. Is it customary to run a webserver on your router nowadays? Give us a list of services this box is running and we can give you a better idea of how easy it might be to root. Ted >-----Original Message----- >From: owner-freebsd-questions@freebsd.org >[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Brett Glass >Sent: Wednesday, July 06, 2005 9:42 AM >To: questions@freebsd.org >Subject: Has this box been hacked? > > >A client had a network problem, and I wanted to make sure that >his FreeBSD 4.11 >router wasn't the cause of it, so I rebooted it. I then did a >"last" command >and saw the following: > >root ttyv0 Tue Jul 5 12:01 - >12:05 (00:04) >admin ttyp0 localhost Tue Jul 5 11:57 - >11:57 (00:00) >root ttyv0 Tue Jul 5 11:49 - >12:00 (00:11) >reboot ~ Tue Jul 5 11:49 >shutdown ~ Tue Jul 5 11:47 >root ttyv0 Tue Jul 5 11:37 - >shutdown (00:10) >reboot ~ Tue Jul 5 11:36 >shutdown ~ Tue Jul 5 05:36 >shutdown ~ Tue Jul 5 11:22 > >Note the "shutdown" entry with the time 5:36 AM, which is odd >because it's out of >chronological order and the other logs don't show the typical >debug messages >at that time. Where might such an entry come from? How likely >is it that the box >has been rooted? Are there known exploits that might have been >used to root a >FreeBSD 4.11-RELEASE machine? (The only unusual activity I can >see in the logs is a >few attempts to log in as "root" via SSH. The attempts that >were logged were >not successful, but of course a skilled attacker would cover >his tracks.) > >--Brett > >_______________________________________________ >freebsd-questions@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to >"freebsd-questions-unsubscribe@freebsd.org" >