On 7/8/05, Brett Glass <[EMAIL PROTECTED]> wrote: > Give ME a break. You're only stating the obvious: the more > daemons are running, the more exposure. Brett say hello to my insta-trash filter. Get a hair cut you damn hippie http://www.ymmv.com/gifs/brett.gif
This particular box > is running BIND 8, a transparent Squid proxy, and SSH. BIND > is sandboxed and Squid is running as a nonprivileged user. > Squid is also set not to take requests from outside. > > I wasn't the one who configured it; I've been asked to > analyze it. > > --Brett > > At 11:56 PM 7/6/2005, Ted Mittelstaedt wrote: > http://www.ymmv.com/gifs/brett.gif > > >Sure, FreeBSD 4.11 is very easy for a remote attacker to root. > >All you need to do is let a user on it setup some convenient > >password like the word "password" for the root user, and use > >the same on an easy-to-remember userID > >like "sam" or "bob", then put a DNS entry in for it like > >"porno-pictures.example.com" and post that on a popular website > >and it shouldn't take but a few days for it to get rooted. > > > >Other than that, give me a break, Brett. If this is a router and > >an out of the box install then there's no services turned on > >that can be rooted. Is it customary to run a webserver on your > >router nowadays? > > > >Give us a list of services this box is running and we can give > >you a better idea of how easy it might be to root. > > > >Ted > > > >>-----Original Message----- > >>From: [EMAIL PROTECTED] > >>[mailto:[EMAIL PROTECTED] Behalf Of Brett Glass > >>Sent: Wednesday, July 06, 2005 9:42 AM > >>To: [EMAIL PROTECTED] > >>Subject: Has this box been hacked? > >> > >> > >>A client had a network problem, and I wanted to make sure that > >>his FreeBSD 4.11 > >>router wasn't the cause of it, so I rebooted it. I then did a > >>"last" command > >>and saw the following: > >> > >>root ttyv0 Tue Jul 5 12:01 - > >>12:05 (00:04) > >>admin ttyp0 localhost Tue Jul 5 11:57 - > >>11:57 (00:00) > >>root ttyv0 Tue Jul 5 11:49 - > >>12:00 (00:11) > >>reboot ~ Tue Jul 5 11:49 > >>shutdown ~ Tue Jul 5 11:47 > >>root ttyv0 Tue Jul 5 11:37 - > >>shutdown (00:10) > >>reboot ~ Tue Jul 5 11:36 > >>shutdown ~ Tue Jul 5 05:36 > >>shutdown ~ Tue Jul 5 11:22 > >> > >>Note the "shutdown" entry with the time 5:36 AM, which is odd > >>because it's out of > >>chronological order and the other logs don't show the typical > >>debug messages > >>at that time. Where might such an entry come from? How likely > >>is it that the box > >>has been rooted? Are there known exploits that might have been > >>used to root a > >>FreeBSD 4.11-RELEASE machine? (The only unusual activity I can > >>see in the logs is a > >>few attempts to log in as "root" via SSH. The attempts that > >>were logged were > >>not successful, but of course a skilled attacker would cover > >>his tracks.) > >> > >>--Brett > >> > >>_______________________________________________ > >>freebsd-questions@freebsd.org mailing list > >>http://lists.freebsd.org/mailman/listinfo/freebsd-questions > >>To unsubscribe, send any mail to > >>"[EMAIL PROTECTED]" > >> > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
