When I am in that same position as a rule I tell the customer
that I would assume the system was rooted.
The reason is that all of the times I've been called in on
this type of job it has been because the previous admin was
fired and they wanted to make sure he wasn't getting back
in remotely
The person who set the system up did not leave on bad terms.
However, before taking the system down and setting it up
from scratch (and charging them to do so) I'd like to know
if anyone is aware of whether what I saw is common on boxes
that have been rooted. Is that shutdown entry cause for
deliberately or inadvertently leave a back
door,
that is their decision to make.
Ted
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Brett Glass
Sent: Sunday, July 10, 2005 11:26 AM
To: Ted Mittelstaedt; [EMAIL PROTECTED]
Subject: RE: Has this box been hacked
Give ME a break. You're only stating the obvious: the more
daemons are running, the more exposure. This particular box
is running BIND 8, a transparent Squid proxy, and SSH. BIND
is sandboxed and Squid is running as a nonprivileged user.
Squid is also set not to take requests from outside.
I
At 05:32 PM 7/7/2005, J65nko BSD wrote:
If you would have installed something like tripwire or aide, you would have
been in a better position to find out whether the box has been owned.
I didn't build the machine.
--Brett Glass
___
On 7/8/05, Brett Glass [EMAIL PROTECTED] wrote:
Give ME a break. You're only stating the obvious: the more
daemons are running, the more exposure.
Brett say hello to my insta-trash filter.
Get a hair cut you damn hippie
http://www.ymmv.com/gifs/brett.gif
This particular box
is running BIND
On 7/6/05, Brett Glass [EMAIL PROTECTED] wrote:
A client had a network problem, and I wanted to make sure that his FreeBSD
4.11
router wasn't the cause of it, so I rebooted it. I then did a last
command
and saw the following:
root ttyv0 Tue Jul 5 12:01 - 12:05 (00:04)
admin ttyp0
Sure, FreeBSD 4.11 is very easy for a remote attacker to root.
All you need to do is let a user on it setup some convenient
password like the word password for the root user, and use
the same on an easy-to-remember userID
like sam or bob, then put a DNS entry in for it like