From owner-freebsd-security  Fri Mar  2  0: 9:35 2001
Delivered-To: freebsd-security@freebsd.org
Received: from R181204.resnet.ucsb.edu (R181204.resnet.ucsb.edu [128.111.181.204])
	by hub.freebsd.org (Postfix) with ESMTP id 468E737B719
	for <freebsd-security@freebsd.org>; Fri,  2 Mar 2001 00:09:20 -0800 (PST)
	(envelope-from mudman@R181204.resnet.ucsb.edu)
Received: from localhost (mudman@localhost)
	by R181204.resnet.ucsb.edu (8.11.1/8.11.1) with ESMTP id f228DLx06723
	for <freebsd-security@freebsd.org>; Fri, 2 Mar 2001 00:13:22 -0800 (PST)
	(envelope-from mudman@R181204.resnet.ucsb.edu)
Date: Fri, 2 Mar 2001 00:13:19 -0800 (PST)
From: mudman <mudman@R181204.resnet.ucsb.edu>
To: <freebsd-security@freebsd.org>
Subject: /etc/pwd.db
Message-ID: <Pine.BSF.4.30.0103020002060.6709-100000@R181204.resnet.ucsb.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


About a month ago, a script kiddie took (a largely unsuccessful) shot at
my box:

They logged in anonymous ftp (I later on ended up disabling this to
discourage them) and would then proceed to spam or packet-flood my box,
much like a denial-of-service attack.

At regular intervals, they would try to access /etc/pwd.db, and then flood
me some more.  Well, as it turns out, I never crashed, nor did they ever
get /etc/pwd.db

However, I think pwd.db is encrypted, right?  Even then, since remote root
login is not allowed (and I have no accounts in wheel to su to root),
would having it do the assailant any good at all?  Hypothetically, you
could post your root password on the internet and it wouldn't be of much
use if you were the only one with access to the console and no one can su
to root.  (Aside from compromising some users' accounts... in my case, I
have no users with really anything important).

Eventually, after a lot of other shots like some malformed packets,
followed by more failures, the said script-kiddie got bored and gave up,
or found somebody else to bother.

Is there anything to be gained on such a system, other than a few user
accounts, by getting pwd.db?

I'm debating whether the attack was close to pointless, or whether there
should be any cause for alarm here.

So.... what do you guys think?


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message