Has this box been hacked?

Ted Mittelstaedt tedm at toybox.placo.com
Thu Jul 7 05:56:07 GMT 2005 

Sure, FreeBSD 4.11 is very easy for a remote attacker to root.
All you need to do is let a user on it setup some convenient
password like the word "password" for the root user, and use
the same on an easy-to-remember userID
like "sam" or "bob", then put a DNS entry in for it like
"porno-pictures.example.com" and post that on a popular website
and it shouldn't take but a few days for it to get rooted.

Other than that, give me a break, Brett.  If this is a router and
an out of the box install then there's no services turned on
that can be rooted.  Is it customary to run a webserver on your
router nowadays?

Give us a list of services this box is running and we can give
you a better idea of how easy it might be to root.

Ted

>-----Original Message-----
>From: owner-freebsd-questions at freebsd.org
>[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Brett Glass
>Sent: Wednesday, July 06, 2005 9:42 AM
>To: questions at freebsd.org
>Subject: Has this box been hacked?
>
>
>A client had a network problem, and I wanted to make sure that 
>his FreeBSD 4.11 
>router wasn't the cause of it, so I rebooted it. I then did a 
>"last" command 
>and saw the following:
>
>root             ttyv0                     Tue Jul  5 12:01 - 
>12:05  (00:04)
>admin            ttyp0    localhost        Tue Jul  5 11:57 - 
>11:57  (00:00)
>root             ttyv0                     Tue Jul  5 11:49 - 
>12:00  (00:11)
>reboot           ~                         Tue Jul  5 11:49
>shutdown         ~                         Tue Jul  5 11:47
>root             ttyv0                     Tue Jul  5 11:37 - 
>shutdown  (00:10)
>reboot           ~                         Tue Jul  5 11:36
>shutdown         ~                         Tue Jul  5 05:36
>shutdown         ~                         Tue Jul  5 11:22
>
>Note the "shutdown" entry with the time 5:36 AM, which is odd 
>because it's out of 
>chronological order and the other logs don't show the typical 
>debug messages
>at that time. Where might such an entry come from? How likely 
>is it that the box
>has been rooted? Are there known exploits that might have been 
>used to root a
>FreeBSD 4.11-RELEASE machine? (The only unusual activity I can 
>see in the logs is a 
>few attempts to log in as "root" via SSH. The attempts that 
>were logged were
>not successful, but of course a skilled attacker would cover 
>his tracks.)
>
>--Brett 
>
>_______________________________________________
>freebsd-questions at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>To unsubscribe, send any mail to 
>"freebsd-questions-unsubscribe at freebsd.org"
>

More information about the freebsd-questions mailing list