Give ME a break. You're only stating the obvious: the more daemons are running, the more exposure. This particular box is running BIND 8, a transparent Squid proxy, and SSH. BIND is sandboxed and Squid is running as a nonprivileged user. Squid is also set not to take requests from outside.
I wasn't the one who configured it; I've been asked to analyze it. --Brett At 11:56 PM 7/6/2005, Ted Mittelstaedt wrote: >Sure, FreeBSD 4.11 is very easy for a remote attacker to root. >All you need to do is let a user on it setup some convenient >password like the word "password" for the root user, and use >the same on an easy-to-remember userID >like "sam" or "bob", then put a DNS entry in for it like >"porno-pictures.example.com" and post that on a popular website >and it shouldn't take but a few days for it to get rooted. > >Other than that, give me a break, Brett. If this is a router and >an out of the box install then there's no services turned on >that can be rooted. Is it customary to run a webserver on your >router nowadays? > >Give us a list of services this box is running and we can give >you a better idea of how easy it might be to root. > >Ted > >>-----Original Message----- >>From: [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] Behalf Of Brett Glass >>Sent: Wednesday, July 06, 2005 9:42 AM >>To: [EMAIL PROTECTED] >>Subject: Has this box been hacked? >> >> >>A client had a network problem, and I wanted to make sure that >>his FreeBSD 4.11 >>router wasn't the cause of it, so I rebooted it. I then did a >>"last" command >>and saw the following: >> >>root ttyv0 Tue Jul 5 12:01 - >>12:05 (00:04) >>admin ttyp0 localhost Tue Jul 5 11:57 - >>11:57 (00:00) >>root ttyv0 Tue Jul 5 11:49 - >>12:00 (00:11) >>reboot ~ Tue Jul 5 11:49 >>shutdown ~ Tue Jul 5 11:47 >>root ttyv0 Tue Jul 5 11:37 - >>shutdown (00:10) >>reboot ~ Tue Jul 5 11:36 >>shutdown ~ Tue Jul 5 05:36 >>shutdown ~ Tue Jul 5 11:22 >> >>Note the "shutdown" entry with the time 5:36 AM, which is odd >>because it's out of >>chronological order and the other logs don't show the typical >>debug messages >>at that time. Where might such an entry come from? How likely >>is it that the box >>has been rooted? Are there known exploits that might have been >>used to root a >>FreeBSD 4.11-RELEASE machine? (The only unusual activity I can >>see in the logs is a >>few attempts to log in as "root" via SSH. The attempts that >>were logged were >>not successful, but of course a skilled attacker would cover >>his tracks.) >> >>--Brett >> >>_______________________________________________ >>freebsd-questions@freebsd.org mailing list >>http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>To unsubscribe, send any mail to >>"[EMAIL PROTECTED]" >> _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
