From owner-freebsd-security Mon Feb 11 18:19:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id 3809537B43D for ; Mon, 11 Feb 2002 18:16:37 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id B9679232E7; Mon, 11 Feb 2002 21:16:35 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id 2485D9EF7B; Mon, 11 Feb 2002 21:11:43 -0500 (EST) Date: Wed, 6 Feb 2002 21:53:08 +0200 From: Giorgos Keramidas To: "Artem 'Zazoobr' Ignatjev" Cc: brett@lariat.org, freebsd-security@freebsd.org, Subject: Re: Is this evidence of a break-in attempt? Message-Id: <20020212021143.2485D9EF7B@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2002-02-06 14:05, Artem 'Zazoobr' Ignatjev wrote: > > From owner-freebsd-security@FreeBSD.ORG Tue Feb 5 22:59:39 2002 > > Date: Tue, 05 Feb 2002 12:54:41 -0700 > > To: Victor Grey , > > From: Brett Glass > > Subject: Re: Is this evidence of a break-in attempt? > > > > In a word, yes. Looks like they went to the box with a > > keyboard and a mouse, rebooted, and tried to log in. > > Clearly, they were so clueless that they did not know > > about single-user mode. > > > Well, if console is marked as `insecure' (which is MY default policy) > single mode couldn't help them too much. > But there is a way to get contents of any file in root filesystem from > loader(8), so they could get root hash. You're assuming the attacker (yes, it was a naive attack of some form) knows a lot of stuff. He didn't know about single-user mode[1]. He didn't have enough clue to come with fixit and just power-cycle the box. Is that the person you're expecting to have the knowledge it takes to use loader for password stealing+cracking? :P "loader? What do you mean? What the heck is that? I just plugged in my brand new PS/2 mouse, and a keyboard and rebooted. The fscking thing didn't even get to the point where Windows displays 'Press CTRL+ALT+DEL to log in.' so I pressed CTRL+ALT+DEL a few times. Can you guess? Yes, this FreeBSD thing is so obviously retarted it does NOTHING when you press CTRL+ALT+DEL! I had to power-cycle it again to remove my keyboard and mouse!" -- Giorgos Keramidas . . . . . . . . . keramida@{ceid.upatras.gr,freebsd.org} FreeBSD Documentation Project . . . http://www.freebsd.org/docproj/ FreeBSD: The power to serve . . . . http://www.freebsd.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message