From owner-freebsd-questions@FreeBSD.ORG Sun May 11 19:50:00 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 217261065673 for ; Sun, 11 May 2008 19:50:00 +0000 (UTC) (envelope-from perrin@apotheon.com) Received: from outbound-mail-34.bluehost.com (outbound-mail-34.bluehost.com [69.89.18.154]) by mx1.freebsd.org (Postfix) with SMTP id EB99A8FC18 for ; Sun, 11 May 2008 19:49:59 +0000 (UTC) (envelope-from perrin@apotheon.com) Received: (qmail 22168 invoked by uid 0); 11 May 2008 19:49:57 -0000 Received: from unknown (HELO box183.bluehost.com) (69.89.25.183) by outboundproxy2.bluehost.com with SMTP; 11 May 2008 19:49:57 -0000 Received: from c-24-8-180-234.hsd1.co.comcast.net ([24.8.180.234] helo=demeter.hydra) by box183.bluehost.com with esmtpa (Exim 4.68) (envelope-from ) id 1JvHYT-0008Ji-3l for freebsd-questions@freebsd.org; Sun, 11 May 2008 13:49:57 -0600 Received: by demeter.hydra (sSMTP sendmail emulation); Sun, 11 May 2008 13:49:57 -0600 Date: Sun, 11 May 2008 13:49:57 -0600 From: Chad Perrin To: freebsd-questions@freebsd.org Message-ID: <20080511194957.GA81732@demeter.hydra> Mail-Followup-To: freebsd-questions@freebsd.org References: <812883.11120.qm@web54010.mail.re2.yahoo.com> <200805102300.41775.fbsd.questions@rachie.is-a-geek.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ew6BAiZeqk4r7MaW" Content-Disposition: inline In-Reply-To: <200805102300.41775.fbsd.questions@rachie.is-a-geek.net> User-Agent: Mutt/1.4.2.3i X-Identified-User: {737:box183.bluehost.com:apotheon:apotheon.com} {sentby:smtp auth 24.8.180.234 authed with perrin@apotheon.com} DomainKey-Status: no signature Subject: Re: root login stops working X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 May 2008 19:50:00 -0000 --ew6BAiZeqk4r7MaW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, May 10, 2008 at 11:00:41PM +0200, Mel wrote: > On Saturday 10 May 2008 20:50:46 Dennis Flynn wrote: > > I'm running FreeBSD wx.dennis-flynn.net 7.0-RELEASE FreeBSD 7.0-RELEASE= #0: > > Sun Feb 24 19:59:52 UTC 2008 =20 > > root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 > > > > About a day after install root login no longer works - even on the cons= ole. > > > > I see the following in /var/log/auth.log: > > May 10 14:22:37 wx sshd[86223]: Accepted password for root from > > 10.11.12.104 port 1492 ssh2 May 10 14:22:37 wx sshd[86223]: Received > > disconnect from 10.11.12.104: 0: > > > > And in /var/log/messages: > > May 10 14:27:51 wx kernel: pid 86237 (csh), uid 0: exited on signal 11 > > (core dumped) >=20 > Looks like you got hacked, the tell-tale being "ip port ####". > http://security.freebsd.org/advisories/FreeBSD-SA-08:05.openssh.asc =2E . . unless that's part of Dennins' network setup. --=20 CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] McCloctnick the Lucid: "The first rule of magic is simple. Don't waste your time waving your hands and hopping when a rock or a club will do." --ew6BAiZeqk4r7MaW Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.8 (FreeBSD) iEYEARECAAYFAkgnTeUACgkQ9mn/Pj01uKVCtwCfdPIDGA0CnxivvShQ9ryGmKv2 D+0Anj6iTnTP2bjYcZ0Mr+oDEgXUYIW5 =+t6y -----END PGP SIGNATURE----- --ew6BAiZeqk4r7MaW--