Date: Wed, 06 Feb 2002 13:11:16 -0700 From: Brett Glass <brett@lariat.org> To: Weldon S Godfrey 3 <weldon@excelsus.com> Cc: Victor Grey <victor@customdynamic.net>, <freebsd-security@FreeBSD.ORG> Subject: Re: Is this evidence of a break-in attempt? Message-ID: <4.3.2.7.2.20020206125755.01c716a0@localhost> In-Reply-To: <Pine.BSF.4.44.0202060816280.56746-100000@joule.excelsus.co m> References: <4.3.2.7.2.20020205125336.02758450@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
A good idea, though you can always boot from a floppy and bypass this. Or list the password file from the boot loader and then crack the root password offline. Fortunately, the intruders weren't anywhere near that bright. The fact that they installed a *mouse*, of all things, indicates that they were expecting to find an NT or W2K server. They were likely COMPLETELY out of their depth when they saw a UNIX login: prompt. So much so that all they could do was try, in desperation, to log in as "root" with no password. (Many NT and W2K admins leave their boxes with null or easily guessable administrative passwords, but UNIX admins know better.) In short, they couldn't even get into a UNIX box to which they probably had physical access for hours (sigh). My guess is that they were Microsoft weenies -- probably MCSEs, who are intentionally trained to be helpless without a GUI and are never taught the underlying principles behind what they're doing. (This keeps them from being able to deal with anything non-Microsoft, even if it's standards-based.) Microsoft also takes great pains to ensure that the dialogue boxes are complex and non-intuitive enough, and change *just enough* between versions, that recertification is required every few years. This guarantees Microsoft an income stream of thousands of dollars per year per MCSE. --Brett At 06:19 AM 2/6/2002, Weldon S Godfrey 3 wrote: >Good point. > >I recommend that any box placed into a colo or a location that the >security isn't under your direct control to mark your console as >"insecure" in /etc/ttys so that root password will be asked when someone >boots into single user mode. > >Weldon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20020206125755.01c716a0>