From owner-freebsd-questions@FreeBSD.ORG Tue Feb 7 12:11:48 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7E6171065697 for ; Tue, 7 Feb 2012 12:11:48 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-bk0-f54.google.com (mail-bk0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 153EF8FC0C for ; Tue, 7 Feb 2012 12:11:47 +0000 (UTC) Received: by bkbzx1 with SMTP id zx1so7593002bkb.13 for ; Tue, 07 Feb 2012 04:11:47 -0800 (PST) Received: by 10.205.129.130 with SMTP id hi2mr10197952bkc.98.1328616706937; Tue, 07 Feb 2012 04:11:46 -0800 (PST) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id ez5sm55105939bkc.15.2012.02.07.04.11.45 (version=SSLv3 cipher=OTHER); Tue, 07 Feb 2012 04:11:46 -0800 (PST) Message-ID: <4F311500.6070609@my.gd> Date: Tue, 07 Feb 2012 13:11:44 +0100 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0) Gecko/20120129 Thunderbird/10.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: on hammer's, security, and centrifuges... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Feb 2012 12:11:48 -0000 On 2/7/12 1:03 PM, Henry Olyer wrote: > So I was coding along... > > On my laptop, on session #1, and I get a notice that someone did an su. > Except I'm the only user and I didn't have an ethernet cord connected. > (And no, it wasn't me...) > > I just built this laptop a few days ago. Fresh. I did have to get on the > net to download/make/install a few critical packages. I do development. > And research. > > My guess, not one shred of evidence, is that someone got in while I was > re-building packages. Some, (for example Maxima,) take hours. And because > of problems with gnuplot and pdflib, won't build as packages without > re-compilation. > And how would they have done that: - weak root password or something ? - did you allow rootlogin at all through SSH ? I work with dozens of FreeBSD boxes at work, all of which are under heavy load and present juicy targets for attackers. We've not had a single breach in security since I started. You're looking for means of increasing security, it seems to me, once an attacker already has the root. I would suggest preventing said attacker from obtaining the root in the first place. Perhaps one of the packages you downloaded was backdoored ?