Date: Sun, 10 Jul 2005 12:26:29 -0600 From: Brett Glass <brett@lariat.org> To: "Ted Mittelstaedt" <tedm@toybox.placo.com>, <questions@freebsd.org> Subject: RE: Has this box been hacked? Message-ID: <6.2.1.2.2.20050710122345.07d0c3c8@localhost> In-Reply-To: <LOBBIFDAGNMAMLGJJCKNKEPMFBAA.tedm@toybox.placo.com> References: <6.2.1.2.2.20050708094601.086c0ae8@localhost> <LOBBIFDAGNMAMLGJJCKNKEPMFBAA.tedm@toybox.placo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
The person who set the system up did not leave on bad terms. However, before taking the system down and setting it up from scratch (and charging them to do so) I'd like to know if anyone is aware of whether what I saw is common on boxes that have been rooted. Is that "shutdown" entry cause for concern? Is there a way in which it could have happened innocently (e.g. due to a power failure that left the disk inconsistent)? --Brett Glass At 02:31 AM 7/10/2005, Ted Mittelstaedt wrote: >When I am in that same position as a rule I tell the customer >that I would assume the system was rooted. > >The reason is that all of the times I've been called in on >this type of job it has been because the previous admin was >fired and they wanted to make sure he wasn't getting back >in remotely and causing problems. > >You didn't say the circumstances behind this job of yours, but >clearly, since this is a FreeBSD 4.11 system it's been built >within the last 6 months. Now, the person that built it isn't >around? Otherwise why would they be callin you in? You should >assume the previous person that setup this system left some back >doors. > >Ted
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.2.1.2.2.20050710122345.07d0c3c8>