Date: Fri, 8 Jul 2005 01:32:23 +0200 From: J65nko BSD <j65nko@gmail.com> To: Brett Glass <brett@lariat.org> Cc: questions@freebsd.org Subject: Re: Has this box been hacked? Message-ID: <19861fba05070716321226c330@mail.gmail.com> In-Reply-To: <6.2.1.2.2.20050706104045.0931c6b0@localhost> References: <6.2.1.2.2.20050706104045.0931c6b0@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On 7/6/05, Brett Glass <brett@lariat.org> wrote: >=20 > A client had a network problem, and I wanted to make sure that his FreeBS= D=20 > 4.11 > router wasn't the cause of it, so I rebooted it. I then did a "last"=20 > command > and saw the following: >=20 > root ttyv0 Tue Jul 5 12:01 - 12:05 (00:04) > admin ttyp0 localhost Tue Jul 5 11:57 - 11:57 (00:00) > root ttyv0 Tue Jul 5 11:49 - 12:00 (00:11) > reboot ~ Tue Jul 5 11:49 > shutdown ~ Tue Jul 5 11:47 > root ttyv0 Tue Jul 5 11:37 - shutdown (00:10) > reboot ~ Tue Jul 5 11:36 > shutdown ~ Tue Jul 5 05:36 > shutdown ~ Tue Jul 5 11:22 >=20 > Note the "shutdown" entry with the time 5:36 AM, which is odd because it'= s=20 > out of > chronological order and the other logs don't show the typical debug=20 > messages > at that time. Where might such an entry come from? How likely is it that= =20 > the box > has been rooted? Are there known exploits that might have been used to=20 > root a > FreeBSD 4.11-RELEASE machine? (The only unusual activity I can see in the= =20 > logs is a > few attempts to log in as "root" via SSH. The attempts that were logged= =20 > were > not successful, but of course a skilled attacker would cover his tracks.) If you would have installed something like tripwire or aide, you would have= =20 been in a better position to find out whether the box has been owned. See= =20 http://www.onlamp.com/pub/a/bsd/2003/04/03/FreeBSD_Basics.html =3DAdriaan=3D
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19861fba05070716321226c330>