[Gllug] My firewall is rooted

Xander D Harkness xander at harkness.co.uk
Mon Jul 15 11:29:12 UTC 2002

Stephen Harker wrote:

>OK. So I ssh into the firewall (first time in a week or so) to discover loads 
>of running processes ./a and a new user in my password file called dave. So 
>out he goes and shutdown all the processes. Passwd file was locked so I 
>removed /etc/ptmp and removed the dave entry. (BTW this is an OpenBSD box)
>Rebooted the machine. First mistake.
>Now my root password doesn't work any more. SO. Do I want to even bother 
>fixing this machine up or shall I just rescue my pf and nat rules, wipe the 
>box and start again? Will there be a load of backdoors and other nasties on 
>there now? 
I would suggest save the rules and start again.

I think that otherwise you will never have full confidence in the box 
again.  You might also want to have some peer review of the rules, on 
the basis that someone got past them.

I would expect there to be at least two or three back doors.

Kind regards

Gllug mailing list  -  Gllug at linux.co.uk

More information about the GLLUG mailing list