From owner-freebsd-questions@FreeBSD.ORG Thu Jul 7 23:32:24 2005 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9B42F16A41C for ; Thu, 7 Jul 2005 23:32:24 +0000 (GMT) (envelope-from j65nko@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 35BD443D45 for ; Thu, 7 Jul 2005 23:32:24 +0000 (GMT) (envelope-from j65nko@gmail.com) Received: by zproxy.gmail.com with SMTP id o1so147409nzf for ; Thu, 07 Jul 2005 16:32:23 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:references; b=bY+PZNnjnyQ7Q7HZdajWyeLtoD2Y7OFKmVRVnk5IzXKkerkbX1sTEI3h/sNxLPiXgP2w/bO02/EVR92G/HSvfyWe8J4Q1j9/nT69JtQc7fqmcR1LeMrqADKT+tdWVAiU64uF3HsUaR80ORiAOTRdvDhqU8Vg4rMXbYLD/+SrRxU= Received: by 10.36.119.17 with SMTP id r17mr476028nzc; Thu, 07 Jul 2005 16:32:23 -0700 (PDT) Received: by 10.36.41.16 with HTTP; Thu, 7 Jul 2005 16:32:23 -0700 (PDT) Message-ID: <19861fba05070716321226c330@mail.gmail.com> Date: Fri, 8 Jul 2005 01:32:23 +0200 From: J65nko BSD To: Brett Glass In-Reply-To: <6.2.1.2.2.20050706104045.0931c6b0@localhost> Mime-Version: 1.0 References: <6.2.1.2.2.20050706104045.0931c6b0@localhost> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: questions@freebsd.org Subject: Re: Has this box been hacked? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: J65nko BSD List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2005 23:32:24 -0000 On 7/6/05, Brett Glass wrote: >=20 > A client had a network problem, and I wanted to make sure that his FreeBS= D=20 > 4.11 > router wasn't the cause of it, so I rebooted it. I then did a "last"=20 > command > and saw the following: >=20 > root ttyv0 Tue Jul 5 12:01 - 12:05 (00:04) > admin ttyp0 localhost Tue Jul 5 11:57 - 11:57 (00:00) > root ttyv0 Tue Jul 5 11:49 - 12:00 (00:11) > reboot ~ Tue Jul 5 11:49 > shutdown ~ Tue Jul 5 11:47 > root ttyv0 Tue Jul 5 11:37 - shutdown (00:10) > reboot ~ Tue Jul 5 11:36 > shutdown ~ Tue Jul 5 05:36 > shutdown ~ Tue Jul 5 11:22 >=20 > Note the "shutdown" entry with the time 5:36 AM, which is odd because it'= s=20 > out of > chronological order and the other logs don't show the typical debug=20 > messages > at that time. Where might such an entry come from? How likely is it that= =20 > the box > has been rooted? Are there known exploits that might have been used to=20 > root a > FreeBSD 4.11-RELEASE machine? (The only unusual activity I can see in the= =20 > logs is a > few attempts to log in as "root" via SSH. The attempts that were logged= =20 > were > not successful, but of course a skilled attacker would cover his tracks.) If you would have installed something like tripwire or aide, you would have= =20 been in a better position to find out whether the box has been owned. See= =20 http://www.onlamp.com/pub/a/bsd/2003/04/03/FreeBSD_Basics.html =3DAdriaan=3D