Has this box been hacked?
Brett Glass
brett at lariat.org
Fri Jul 8 15:50:15 GMT 2005
Give ME a break. You're only stating the obvious: the more
daemons are running, the more exposure. This particular box
is running BIND 8, a transparent Squid proxy, and SSH. BIND
is sandboxed and Squid is running as a nonprivileged user.
Squid is also set not to take requests from outside.
I wasn't the one who configured it; I've been asked to
analyze it.
--Brett
At 11:56 PM 7/6/2005, Ted Mittelstaedt wrote:
>Sure, FreeBSD 4.11 is very easy for a remote attacker to root.
>All you need to do is let a user on it setup some convenient
>password like the word "password" for the root user, and use
>the same on an easy-to-remember userID
>like "sam" or "bob", then put a DNS entry in for it like
>"porno-pictures.example.com" and post that on a popular website
>and it shouldn't take but a few days for it to get rooted.
>
>Other than that, give me a break, Brett. If this is a router and
>an out of the box install then there's no services turned on
>that can be rooted. Is it customary to run a webserver on your
>router nowadays?
>
>Give us a list of services this box is running and we can give
>you a better idea of how easy it might be to root.
>
>Ted
>
>>-----Original Message-----
>>From: owner-freebsd-questions at freebsd.org
>>[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Brett Glass
>>Sent: Wednesday, July 06, 2005 9:42 AM
>>To: questions at freebsd.org
>>Subject: Has this box been hacked?
>>
>>
>>A client had a network problem, and I wanted to make sure that
>>his FreeBSD 4.11
>>router wasn't the cause of it, so I rebooted it. I then did a
>>"last" command
>>and saw the following:
>>
>>root ttyv0 Tue Jul 5 12:01 -
>>12:05 (00:04)
>>admin ttyp0 localhost Tue Jul 5 11:57 -
>>11:57 (00:00)
>>root ttyv0 Tue Jul 5 11:49 -
>>12:00 (00:11)
>>reboot ~ Tue Jul 5 11:49
>>shutdown ~ Tue Jul 5 11:47
>>root ttyv0 Tue Jul 5 11:37 -
>>shutdown (00:10)
>>reboot ~ Tue Jul 5 11:36
>>shutdown ~ Tue Jul 5 05:36
>>shutdown ~ Tue Jul 5 11:22
>>
>>Note the "shutdown" entry with the time 5:36 AM, which is odd
>>because it's out of
>>chronological order and the other logs don't show the typical
>>debug messages
>>at that time. Where might such an entry come from? How likely
>>is it that the box
>>has been rooted? Are there known exploits that might have been
>>used to root a
>>FreeBSD 4.11-RELEASE machine? (The only unusual activity I can
>>see in the logs is a
>>few attempts to log in as "root" via SSH. The attempts that
>>were logged were
>>not successful, but of course a skilled attacker would cover
>>his tracks.)
>>
>>--Brett
>>
>>_______________________________________________
>>freebsd-questions at freebsd.org mailing list
>>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>To unsubscribe, send any mail to
>>"freebsd-questions-unsubscribe at freebsd.org"
>>
More information about the freebsd-questions
mailing list