Has this box been hacked?
Ted Mittelstaedt
tedm at toybox.placo.com
Thu Jul 7 05:56:07 GMT 2005
Sure, FreeBSD 4.11 is very easy for a remote attacker to root.
All you need to do is let a user on it setup some convenient
password like the word "password" for the root user, and use
the same on an easy-to-remember userID
like "sam" or "bob", then put a DNS entry in for it like
"porno-pictures.example.com" and post that on a popular website
and it shouldn't take but a few days for it to get rooted.
Other than that, give me a break, Brett. If this is a router and
an out of the box install then there's no services turned on
that can be rooted. Is it customary to run a webserver on your
router nowadays?
Give us a list of services this box is running and we can give
you a better idea of how easy it might be to root.
Ted
>-----Original Message-----
>From: owner-freebsd-questions at freebsd.org
>[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Brett Glass
>Sent: Wednesday, July 06, 2005 9:42 AM
>To: questions at freebsd.org
>Subject: Has this box been hacked?
>
>
>A client had a network problem, and I wanted to make sure that
>his FreeBSD 4.11
>router wasn't the cause of it, so I rebooted it. I then did a
>"last" command
>and saw the following:
>
>root ttyv0 Tue Jul 5 12:01 -
>12:05 (00:04)
>admin ttyp0 localhost Tue Jul 5 11:57 -
>11:57 (00:00)
>root ttyv0 Tue Jul 5 11:49 -
>12:00 (00:11)
>reboot ~ Tue Jul 5 11:49
>shutdown ~ Tue Jul 5 11:47
>root ttyv0 Tue Jul 5 11:37 -
>shutdown (00:10)
>reboot ~ Tue Jul 5 11:36
>shutdown ~ Tue Jul 5 05:36
>shutdown ~ Tue Jul 5 11:22
>
>Note the "shutdown" entry with the time 5:36 AM, which is odd
>because it's out of
>chronological order and the other logs don't show the typical
>debug messages
>at that time. Where might such an entry come from? How likely
>is it that the box
>has been rooted? Are there known exploits that might have been
>used to root a
>FreeBSD 4.11-RELEASE machine? (The only unusual activity I can
>see in the logs is a
>few attempts to log in as "root" via SSH. The attempts that
>were logged were
>not successful, but of course a skilled attacker would cover
>his tracks.)
>
>--Brett
>
>_______________________________________________
>freebsd-questions at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>To unsubscribe, send any mail to
>"freebsd-questions-unsubscribe at freebsd.org"
>
More information about the freebsd-questions
mailing list