Date: Wed, 6 Jul 2005 22:56:00 -0700 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Brett Glass" <brett@lariat.org>, <questions@freebsd.org> Subject: RE: Has this box been hacked? Message-ID: <LOBBIFDAGNMAMLGJJCKNKEPKFBAA.tedm@toybox.placo.com> In-Reply-To: <6.2.1.2.2.20050706104045.0931c6b0@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
Sure, FreeBSD 4.11 is very easy for a remote attacker to root. All you need to do is let a user on it setup some convenient password like the word "password" for the root user, and use the same on an easy-to-remember userID like "sam" or "bob", then put a DNS entry in for it like "porno-pictures.example.com" and post that on a popular website and it shouldn't take but a few days for it to get rooted. Other than that, give me a break, Brett. If this is a router and an out of the box install then there's no services turned on that can be rooted. Is it customary to run a webserver on your router nowadays? Give us a list of services this box is running and we can give you a better idea of how easy it might be to root. Ted >-----Original Message----- >From: owner-freebsd-questions@freebsd.org >[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Brett Glass >Sent: Wednesday, July 06, 2005 9:42 AM >To: questions@freebsd.org >Subject: Has this box been hacked? > > >A client had a network problem, and I wanted to make sure that >his FreeBSD 4.11 >router wasn't the cause of it, so I rebooted it. I then did a >"last" command >and saw the following: > >root ttyv0 Tue Jul 5 12:01 - >12:05 (00:04) >admin ttyp0 localhost Tue Jul 5 11:57 - >11:57 (00:00) >root ttyv0 Tue Jul 5 11:49 - >12:00 (00:11) >reboot ~ Tue Jul 5 11:49 >shutdown ~ Tue Jul 5 11:47 >root ttyv0 Tue Jul 5 11:37 - >shutdown (00:10) >reboot ~ Tue Jul 5 11:36 >shutdown ~ Tue Jul 5 05:36 >shutdown ~ Tue Jul 5 11:22 > >Note the "shutdown" entry with the time 5:36 AM, which is odd >because it's out of >chronological order and the other logs don't show the typical >debug messages >at that time. Where might such an entry come from? How likely >is it that the box >has been rooted? Are there known exploits that might have been >used to root a >FreeBSD 4.11-RELEASE machine? (The only unusual activity I can >see in the logs is a >few attempts to log in as "root" via SSH. The attempts that >were logged were >not successful, but of course a skilled attacker would cover >his tracks.) > >--Brett > >_______________________________________________ >freebsd-questions@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to >"freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LOBBIFDAGNMAMLGJJCKNKEPKFBAA.tedm>