Has this box been hacked?
J65nko BSD
j65nko at gmail.com
Thu Jul 7 23:32:24 GMT 2005
On 7/6/05, Brett Glass <brett at lariat.org> wrote:
>
> A client had a network problem, and I wanted to make sure that his FreeBSD
> 4.11
> router wasn't the cause of it, so I rebooted it. I then did a "last"
> command
> and saw the following:
>
> root ttyv0 Tue Jul 5 12:01 - 12:05 (00:04)
> admin ttyp0 localhost Tue Jul 5 11:57 - 11:57 (00:00)
> root ttyv0 Tue Jul 5 11:49 - 12:00 (00:11)
> reboot ~ Tue Jul 5 11:49
> shutdown ~ Tue Jul 5 11:47
> root ttyv0 Tue Jul 5 11:37 - shutdown (00:10)
> reboot ~ Tue Jul 5 11:36
> shutdown ~ Tue Jul 5 05:36
> shutdown ~ Tue Jul 5 11:22
>
> Note the "shutdown" entry with the time 5:36 AM, which is odd because it's
> out of
> chronological order and the other logs don't show the typical debug
> messages
> at that time. Where might such an entry come from? How likely is it that
> the box
> has been rooted? Are there known exploits that might have been used to
> root a
> FreeBSD 4.11-RELEASE machine? (The only unusual activity I can see in the
> logs is a
> few attempts to log in as "root" via SSH. The attempts that were logged
> were
> not successful, but of course a skilled attacker would cover his tracks.)
If you would have installed something like tripwire or aide, you would have
been in a better position to find out whether the box has been owned. See
http://www.onlamp.com/pub/a/bsd/2003/04/03/FreeBSD_Basics.html
=Adriaan=
More information about the freebsd-questions
mailing list