On 7/6/05, Brett Glass <[EMAIL PROTECTED]> wrote: > > A client had a network problem, and I wanted to make sure that his FreeBSD > 4.11 > router wasn't the cause of it, so I rebooted it. I then did a "last" > command > and saw the following: > > root ttyv0 Tue Jul 5 12:01 - 12:05 (00:04) > admin ttyp0 localhost Tue Jul 5 11:57 - 11:57 (00:00) > root ttyv0 Tue Jul 5 11:49 - 12:00 (00:11) > reboot ~ Tue Jul 5 11:49 > shutdown ~ Tue Jul 5 11:47 > root ttyv0 Tue Jul 5 11:37 - shutdown (00:10) > reboot ~ Tue Jul 5 11:36 > shutdown ~ Tue Jul 5 05:36 > shutdown ~ Tue Jul 5 11:22 > > Note the "shutdown" entry with the time 5:36 AM, which is odd because it's > out of > chronological order and the other logs don't show the typical debug > messages > at that time. Where might such an entry come from? How likely is it that > the box > has been rooted? Are there known exploits that might have been used to > root a > FreeBSD 4.11-RELEASE machine? (The only unusual activity I can see in the > logs is a > few attempts to log in as "root" via SSH. The attempts that were logged > were > not successful, but of course a skilled attacker would cover his tracks.)
If you would have installed something like tripwire or aide, you would have been in a better position to find out whether the box has been owned. See http://www.onlamp.com/pub/a/bsd/2003/04/03/FreeBSD_Basics.html =Adriaan= _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
