Has this box been hacked?

Brett Glass brett at lariat.org
Fri Jul 8 15:50:15 GMT 2005 

Give ME a break. You're only stating the obvious: the more 
daemons are running, the more exposure. This particular box 
is running BIND 8, a transparent Squid proxy, and SSH. BIND
is sandboxed and Squid is running as a nonprivileged user.
Squid is also set not to take requests from outside. 

I wasn't the one who configured it; I've been asked to 
analyze it.

--Brett

At 11:56 PM 7/6/2005, Ted Mittelstaedt wrote:
  

>Sure, FreeBSD 4.11 is very easy for a remote attacker to root.
>All you need to do is let a user on it setup some convenient
>password like the word "password" for the root user, and use
>the same on an easy-to-remember userID
>like "sam" or "bob", then put a DNS entry in for it like
>"porno-pictures.example.com" and post that on a popular website
>and it shouldn't take but a few days for it to get rooted.
>
>Other than that, give me a break, Brett.  If this is a router and
>an out of the box install then there's no services turned on
>that can be rooted.  Is it customary to run a webserver on your
>router nowadays?
>
>Give us a list of services this box is running and we can give
>you a better idea of how easy it might be to root.
>
>Ted
>
>>-----Original Message-----
>>From: owner-freebsd-questions at freebsd.org
>>[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Brett Glass
>>Sent: Wednesday, July 06, 2005 9:42 AM
>>To: questions at freebsd.org
>>Subject: Has this box been hacked?
>>
>>
>>A client had a network problem, and I wanted to make sure that 
>>his FreeBSD 4.11 
>>router wasn't the cause of it, so I rebooted it. I then did a 
>>"last" command 
>>and saw the following:
>>
>>root             ttyv0                     Tue Jul  5 12:01 - 
>>12:05  (00:04)
>>admin            ttyp0    localhost        Tue Jul  5 11:57 - 
>>11:57  (00:00)
>>root             ttyv0                     Tue Jul  5 11:49 - 
>>12:00  (00:11)
>>reboot           ~                         Tue Jul  5 11:49
>>shutdown         ~                         Tue Jul  5 11:47
>>root             ttyv0                     Tue Jul  5 11:37 - 
>>shutdown  (00:10)
>>reboot           ~                         Tue Jul  5 11:36
>>shutdown         ~                         Tue Jul  5 05:36
>>shutdown         ~                         Tue Jul  5 11:22
>>
>>Note the "shutdown" entry with the time 5:36 AM, which is odd 
>>because it's out of 
>>chronological order and the other logs don't show the typical 
>>debug messages
>>at that time. Where might such an entry come from? How likely 
>>is it that the box
>>has been rooted? Are there known exploits that might have been 
>>used to root a
>>FreeBSD 4.11-RELEASE machine? (The only unusual activity I can 
>>see in the logs is a 
>>few attempts to log in as "root" via SSH. The attempts that 
>>were logged were
>>not successful, but of course a skilled attacker would cover 
>>his tracks.)
>>
>>--Brett 
>>
>>_______________________________________________
>>freebsd-questions at freebsd.org mailing list
>>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>To unsubscribe, send any mail to 
>>"freebsd-questions-unsubscribe at freebsd.org"
>>

More information about the freebsd-questions mailing list