From owner-freebsd-questions@FreeBSD.ORG  Sun Jul 10 08:32:04 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: questions@freebsd.org
Delivered-To: freebsd-questions@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 349F016A41C
	for <questions@freebsd.org>; Sun, 10 Jul 2005 08:32:04 +0000 (GMT)
	(envelope-from tedm@toybox.placo.com)
Received: from mail.freebsd-corp-net-guide.com
	(mail.freebsd-corp-net-guide.com [65.75.192.90])
	by mx1.FreeBSD.org (Postfix) with ESMTP id CE51843D45
	for <questions@freebsd.org>; Sun, 10 Jul 2005 08:32:03 +0000 (GMT)
	(envelope-from tedm@toybox.placo.com)
Received: from tedwin2k (nat-rtr.freebsd-corp-net-guide.com [65.75.197.130])
	by mail.freebsd-corp-net-guide.com (8.11.1/8.11.1) with SMTP id
	j6A8XHb24734; Sun, 10 Jul 2005 01:33:17 -0700 (PDT)
	(envelope-from tedm@toybox.placo.com)
From: "Ted Mittelstaedt" <tedm@toybox.placo.com>
To: "Brett Glass" <brett@lariat.org>, <questions@freebsd.org>
Date: Sun, 10 Jul 2005 01:31:59 -0700
Message-ID: <LOBBIFDAGNMAMLGJJCKNKEPMFBAA.tedm@toybox.placo.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0)
In-Reply-To: <6.2.1.2.2.20050708094601.086c0ae8@localhost>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1478
Importance: Normal
Cc: 
Subject: RE: Has this box been hacked?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Jul 2005 08:32:04 -0000


When I am in that same position as a rule I tell the customer
that I would assume the system was rooted.

The reason is that all of the times I've been called in on
this type of job it has been because the previous admin was
fired and they wanted to make sure he wasn't getting back
in remotely and causing problems.

You didn't say the circumstances behind this job of yours, but
clearly, since this is a FreeBSD 4.11 system it's been built
within the last 6 months.  Now, the person that built it isn't
around?  Otherwise why would they be callin you in?  You should
assume the previous person that setup this system left some back
doors.

Ted