Has this box been hacked?
Brett Glass
brett at lariat.org
Wed Jul 6 16:59:30 GMT 2005
A client had a network problem, and I wanted to make sure that his FreeBSD 4.11
router wasn't the cause of it, so I rebooted it. I then did a "last" command
and saw the following:
root ttyv0 Tue Jul 5 12:01 - 12:05 (00:04)
admin ttyp0 localhost Tue Jul 5 11:57 - 11:57 (00:00)
root ttyv0 Tue Jul 5 11:49 - 12:00 (00:11)
reboot ~ Tue Jul 5 11:49
shutdown ~ Tue Jul 5 11:47
root ttyv0 Tue Jul 5 11:37 - shutdown (00:10)
reboot ~ Tue Jul 5 11:36
shutdown ~ Tue Jul 5 05:36
shutdown ~ Tue Jul 5 11:22
Note the "shutdown" entry with the time 5:36 AM, which is odd because it's out of
chronological order and the other logs don't show the typical debug messages
at that time. Where might such an entry come from? How likely is it that the box
has been rooted? Are there known exploits that might have been used to root a
FreeBSD 4.11-RELEASE machine? (The only unusual activity I can see in the logs is a
few attempts to log in as "root" via SSH. The attempts that were logged were
not successful, but of course a skilled attacker would cover his tracks.)
--Brett
More information about the freebsd-questions
mailing list