Date: Fri, 8 Jul 2005 12:09:49 -0400 From: Hornet <hornetmadness@gmail.com> To: Brett Glass <brett@lariat.org> Cc: questions@freebsd.org, Ted Mittelstaedt <tedm@toybox.placo.com> Subject: Re: Has this box been hacked? Message-ID: <f42935a605070809097b1be66b@mail.gmail.com> In-Reply-To: <6.2.1.2.2.20050708094601.086c0ae8@localhost> References: <6.2.1.2.2.20050706104045.0931c6b0@localhost> <LOBBIFDAGNMAMLGJJCKNKEPKFBAA.tedm@toybox.placo.com> <6.2.1.2.2.20050708094601.086c0ae8@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On 7/8/05, Brett Glass <brett@lariat.org> wrote: > Give ME a break. You're only stating the obvious: the more > daemons are running, the more exposure. Brett say hello to my insta-trash filter. Get a hair cut you damn hippie http://www.ymmv.com/gifs/brett.gif This particular box > is running BIND 8, a transparent Squid proxy, and SSH. BIND > is sandboxed and Squid is running as a nonprivileged user. > Squid is also set not to take requests from outside. >=20 > I wasn't the one who configured it; I've been asked to > analyze it. >=20 > --Brett >=20 > At 11:56 PM 7/6/2005, Ted Mittelstaedt wrote: >=20 http://www.ymmv.com/gifs/brett.gif >=20 > >Sure, FreeBSD 4.11 is very easy for a remote attacker to root. > >All you need to do is let a user on it setup some convenient > >password like the word "password" for the root user, and use > >the same on an easy-to-remember userID > >like "sam" or "bob", then put a DNS entry in for it like > >"porno-pictures.example.com" and post that on a popular website > >and it shouldn't take but a few days for it to get rooted. > > > >Other than that, give me a break, Brett. If this is a router and > >an out of the box install then there's no services turned on > >that can be rooted. Is it customary to run a webserver on your > >router nowadays? > > > >Give us a list of services this box is running and we can give > >you a better idea of how easy it might be to root. > > > >Ted > > > >>-----Original Message----- > >>From: owner-freebsd-questions@freebsd.org > >>[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Brett Glass > >>Sent: Wednesday, July 06, 2005 9:42 AM > >>To: questions@freebsd.org > >>Subject: Has this box been hacked? > >> > >> > >>A client had a network problem, and I wanted to make sure that > >>his FreeBSD 4.11 > >>router wasn't the cause of it, so I rebooted it. I then did a > >>"last" command > >>and saw the following: > >> > >>root ttyv0 Tue Jul 5 12:01 - > >>12:05 (00:04) > >>admin ttyp0 localhost Tue Jul 5 11:57 - > >>11:57 (00:00) > >>root ttyv0 Tue Jul 5 11:49 - > >>12:00 (00:11) > >>reboot ~ Tue Jul 5 11:49 > >>shutdown ~ Tue Jul 5 11:47 > >>root ttyv0 Tue Jul 5 11:37 - > >>shutdown (00:10) > >>reboot ~ Tue Jul 5 11:36 > >>shutdown ~ Tue Jul 5 05:36 > >>shutdown ~ Tue Jul 5 11:22 > >> > >>Note the "shutdown" entry with the time 5:36 AM, which is odd > >>because it's out of > >>chronological order and the other logs don't show the typical > >>debug messages > >>at that time. Where might such an entry come from? How likely > >>is it that the box > >>has been rooted? Are there known exploits that might have been > >>used to root a > >>FreeBSD 4.11-RELEASE machine? (The only unusual activity I can > >>see in the logs is a > >>few attempts to log in as "root" via SSH. The attempts that > >>were logged were > >>not successful, but of course a skilled attacker would cover > >>his tracks.) > >> > >>--Brett > >> > >>_______________________________________________ > >>freebsd-questions@freebsd.org mailing list > >>http://lists.freebsd.org/mailman/listinfo/freebsd-questions > >>To unsubscribe, send any mail to > >>"freebsd-questions-unsubscribe@freebsd.org" > >> >=20 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o= rg" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f42935a605070809097b1be66b>