From owner-freebsd-questions@FreeBSD.ORG Fri Jul 8 15:50:14 2005 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D9DC816A41C for ; Fri, 8 Jul 2005 15:50:14 +0000 (GMT) (envelope-from brett@lariat.org) Received: from lariat.org (lariat.net [65.122.236.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B55A43D55 for ; Fri, 8 Jul 2005 15:50:13 +0000 (GMT) (envelope-from brett@lariat.org) Received: from Anonymous.lariat.org (IDENT:ppp1000.lariat.net@lariat.net [65.122.236.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id JAA14537; Fri, 8 Jul 2005 09:49:55 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.2.1.2.2.20050708094601.086c0ae8@localhost> X-Mailer: QUALCOMM Windows Eudora Version 6.2.1.2 Date: Fri, 08 Jul 2005 09:49:46 -0600 To: "Ted Mittelstaedt" , From: Brett Glass In-Reply-To: References: <6.2.1.2.2.20050706104045.0931c6b0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Cc: Subject: RE: Has this box been hacked? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2005 15:50:15 -0000 Give ME a break. You're only stating the obvious: the more daemons are running, the more exposure. This particular box is running BIND 8, a transparent Squid proxy, and SSH. BIND is sandboxed and Squid is running as a nonprivileged user. Squid is also set not to take requests from outside. I wasn't the one who configured it; I've been asked to analyze it. --Brett At 11:56 PM 7/6/2005, Ted Mittelstaedt wrote: >Sure, FreeBSD 4.11 is very easy for a remote attacker to root. >All you need to do is let a user on it setup some convenient >password like the word "password" for the root user, and use >the same on an easy-to-remember userID >like "sam" or "bob", then put a DNS entry in for it like >"porno-pictures.example.com" and post that on a popular website >and it shouldn't take but a few days for it to get rooted. > >Other than that, give me a break, Brett. If this is a router and >an out of the box install then there's no services turned on >that can be rooted. Is it customary to run a webserver on your >router nowadays? > >Give us a list of services this box is running and we can give >you a better idea of how easy it might be to root. > >Ted > >>-----Original Message----- >>From: owner-freebsd-questions@freebsd.org >>[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Brett Glass >>Sent: Wednesday, July 06, 2005 9:42 AM >>To: questions@freebsd.org >>Subject: Has this box been hacked? >> >> >>A client had a network problem, and I wanted to make sure that >>his FreeBSD 4.11 >>router wasn't the cause of it, so I rebooted it. I then did a >>"last" command >>and saw the following: >> >>root ttyv0 Tue Jul 5 12:01 - >>12:05 (00:04) >>admin ttyp0 localhost Tue Jul 5 11:57 - >>11:57 (00:00) >>root ttyv0 Tue Jul 5 11:49 - >>12:00 (00:11) >>reboot ~ Tue Jul 5 11:49 >>shutdown ~ Tue Jul 5 11:47 >>root ttyv0 Tue Jul 5 11:37 - >>shutdown (00:10) >>reboot ~ Tue Jul 5 11:36 >>shutdown ~ Tue Jul 5 05:36 >>shutdown ~ Tue Jul 5 11:22 >> >>Note the "shutdown" entry with the time 5:36 AM, which is odd >>because it's out of >>chronological order and the other logs don't show the typical >>debug messages >>at that time. Where might such an entry come from? How likely >>is it that the box >>has been rooted? Are there known exploits that might have been >>used to root a >>FreeBSD 4.11-RELEASE machine? (The only unusual activity I can >>see in the logs is a >>few attempts to log in as "root" via SSH. The attempts that >>were logged were >>not successful, but of course a skilled attacker would cover >>his tracks.) >> >>--Brett >> >>_______________________________________________ >>freebsd-questions@freebsd.org mailing list >>http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>To unsubscribe, send any mail to >>"freebsd-questions-unsubscribe@freebsd.org" >>