From owner-freebsd-questions@FreeBSD.ORG  Sun Jul 10 18:26:54 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: questions@freebsd.org
Delivered-To: freebsd-questions@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A2B4416A41C
	for <questions@freebsd.org>; Sun, 10 Jul 2005 18:26:54 +0000 (GMT)
	(envelope-from brett@lariat.org)
Received: from lariat.org (lariat.net [65.122.236.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 099E443D45
	for <questions@freebsd.org>; Sun, 10 Jul 2005 18:26:53 +0000 (GMT)
	(envelope-from brett@lariat.org)
Received: from Anonymous.lariat.org (IDENT:ppp1000.lariat.net@lariat.net
	[65.122.236.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA11507;
	Sun, 10 Jul 2005 12:26:38 -0600 (MDT)
X-message-flag: Warning! Use of Microsoft Outlook renders your system
	susceptible to Internet worms.
Message-Id: <6.2.1.2.2.20050710122345.07d0c3c8@localhost>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.1.2
Date: Sun, 10 Jul 2005 12:26:29 -0600
To: "Ted Mittelstaedt" <tedm@toybox.placo.com>, <questions@freebsd.org>
From: Brett Glass <brett@lariat.org>
In-Reply-To: <LOBBIFDAGNMAMLGJJCKNKEPMFBAA.tedm@toybox.placo.com>
References: <6.2.1.2.2.20050708094601.086c0ae8@localhost>
	<LOBBIFDAGNMAMLGJJCKNKEPMFBAA.tedm@toybox.placo.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: 
Subject: RE: Has this box been hacked?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Jul 2005 18:26:54 -0000

The person who set the system up did not leave on bad terms.
However, before taking the system down and setting it up
from scratch (and charging them to do so) I'd like to know
if anyone is aware of whether what I saw is common on boxes
that have been rooted. Is that "shutdown" entry cause for
concern? Is there a way in which it could have happened
innocently (e.g. due to a power failure that left the disk
inconsistent)?

--Brett Glass

At 02:31 AM 7/10/2005, Ted Mittelstaedt wrote:
  

>When I am in that same position as a rule I tell the customer
>that I would assume the system was rooted.
>
>The reason is that all of the times I've been called in on
>this type of job it has been because the previous admin was
>fired and they wanted to make sure he wasn't getting back
>in remotely and causing problems.
>
>You didn't say the circumstances behind this job of yours, but
>clearly, since this is a FreeBSD 4.11 system it's been built
>within the last 6 months.  Now, the person that built it isn't
>around?  Otherwise why would they be callin you in?  You should
>assume the previous person that setup this system left some back
>doors.
>
>Ted