[Gllug] My firewall is rooted

Stephen Harker steve at pauken.co.uk
Mon Jul 15 12:01:37 UTC 2002


On Monday 15 July 2002 12:27, tet at accucard.com wrote:
> >OK. So I ssh into the firewall (first time in a week or so) to discover
> > loads of running processes ./a and a new user in my password file called
> > dave. So out he goes and shutdown all the processes. Passwd file was
> > locked so I removed /etc/ptmp and removed the dave entry. (BTW this is an
> > OpenBSD box) Rebooted the machine. First mistake.
> >Now my root password doesn't work any more. SO. Do I want to even bother
> >fixing this machine up or shall I just rescue my pf and nat rules, wipe
> > the box and start again? Will there be a load of backdoors and other
> > nasties on there now?
>
> Yep, wipe the box and start again. For a firewall box, that's pretty
> much the only option. Once it's been compromised, it's untrustworthy,
> which for a firewall is pretty terminal...
>
> Tet
Well! It turns out that apparently I'm gay and that "I have been owned " and 
also that "The KREW has struck again". I take it that this is script-kiddy 
stuff. I wonder how they got in. The only thing running was sshd. maybe they 
got in through that. All the log messages have gone :-/
Normal service shall resume in an hour or so...
Steve
-- 
Stephen Harker
steve at pauken.co.uk

"The sooner we fall behind, the longer we have to catch up!"


-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list