From owner-freebsd-security Wed Feb 6 13:20:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by hub.freebsd.org (Postfix) with ESMTP id E596A37B426 for ; Wed, 6 Feb 2002 13:19:43 -0800 (PST) Received: from hades.hell.gr (patr530-a059.otenet.gr [212.205.215.59]) by mailsrv.otenet.gr (8.12.2/8.12.2) with ESMTP id g16LJFrA018620; Wed, 6 Feb 2002 23:19:33 +0200 (EET) Received: (from charon@localhost) by hades.hell.gr (8.11.6/8.11.6) id g16Jr9J23424; Wed, 6 Feb 2002 21:53:09 +0200 (EET) (envelope-from keramida@freebsd.org) Date: Wed, 6 Feb 2002 21:53:08 +0200 From: Giorgos Keramidas To: "Artem 'Zazoobr' Ignatjev" Cc: brett@lariat.org, freebsd-security@freebsd.org, victor@customdynamic.net Subject: Re: Is this evidence of a break-in attempt? Message-ID: <20020206195308.GA18171@hades.hell.gr> References: <4.3.2.7.2.20020205125336.02758450@localhost> <200202061105.g16B5Uo33060@memphis.mephi.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200202061105.g16B5Uo33060@memphis.mephi.ru> User-Agent: Mutt/1.3.25i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2002-02-06 14:05, Artem 'Zazoobr' Ignatjev wrote: > > From owner-freebsd-security@FreeBSD.ORG Tue Feb 5 22:59:39 2002 > > Date: Tue, 05 Feb 2002 12:54:41 -0700 > > To: Victor Grey , > > From: Brett Glass > > Subject: Re: Is this evidence of a break-in attempt? > > > > In a word, yes. Looks like they went to the box with a > > keyboard and a mouse, rebooted, and tried to log in. > > Clearly, they were so clueless that they did not know > > about single-user mode. > > > Well, if console is marked as `insecure' (which is MY default policy) > single mode couldn't help them too much. > But there is a way to get contents of any file in root filesystem from > loader(8), so they could get root hash. You're assuming the attacker (yes, it was a naive attack of some form) knows a lot of stuff. He didn't know about single-user mode[1]. He didn't have enough clue to come with fixit and just power-cycle the box. Is that the person you're expecting to have the knowledge it takes to use loader for password stealing+cracking? :P "loader? What do you mean? What the heck is that? I just plugged in my brand new PS/2 mouse, and a keyboard and rebooted. The fscking thing didn't even get to the point where Windows displays 'Press CTRL+ALT+DEL to log in.' so I pressed CTRL+ALT+DEL a few times. Can you guess? Yes, this FreeBSD thing is so obviously retarted it does NOTHING when you press CTRL+ALT+DEL! I had to power-cycle it again to remove my keyboard and mouse!" -- Giorgos Keramidas . . . . . . . . . keramida@{ceid.upatras.gr,freebsd.org} FreeBSD Documentation Project . . . http://www.freebsd.org/docproj/ FreeBSD: The power to serve . . . . http://www.freebsd.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message