Sure, FreeBSD 4.11 is very easy for a remote attacker to root. All you need to do is let a user on it setup some convenient password like the word "password" for the root user, and use the same on an easy-to-remember userID like "sam" or "bob", then put a DNS entry in for it like "porno-pictures.example.com" and post that on a popular website and it shouldn't take but a few days for it to get rooted.
Other than that, give me a break, Brett. If this is a router and an out of the box install then there's no services turned on that can be rooted. Is it customary to run a webserver on your router nowadays? Give us a list of services this box is running and we can give you a better idea of how easy it might be to root. Ted >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] Behalf Of Brett Glass >Sent: Wednesday, July 06, 2005 9:42 AM >To: [EMAIL PROTECTED] >Subject: Has this box been hacked? > > >A client had a network problem, and I wanted to make sure that >his FreeBSD 4.11 >router wasn't the cause of it, so I rebooted it. I then did a >"last" command >and saw the following: > >root ttyv0 Tue Jul 5 12:01 - >12:05 (00:04) >admin ttyp0 localhost Tue Jul 5 11:57 - >11:57 (00:00) >root ttyv0 Tue Jul 5 11:49 - >12:00 (00:11) >reboot ~ Tue Jul 5 11:49 >shutdown ~ Tue Jul 5 11:47 >root ttyv0 Tue Jul 5 11:37 - >shutdown (00:10) >reboot ~ Tue Jul 5 11:36 >shutdown ~ Tue Jul 5 05:36 >shutdown ~ Tue Jul 5 11:22 > >Note the "shutdown" entry with the time 5:36 AM, which is odd >because it's out of >chronological order and the other logs don't show the typical >debug messages >at that time. Where might such an entry come from? How likely >is it that the box >has been rooted? Are there known exploits that might have been >used to root a >FreeBSD 4.11-RELEASE machine? (The only unusual activity I can >see in the logs is a >few attempts to log in as "root" via SSH. The attempts that >were logged were >not successful, but of course a skilled attacker would cover >his tracks.) > >--Brett > >_______________________________________________ >freebsd-questions@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to >"[EMAIL PROTECTED]" > _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"