[Gllug] My firewall is rooted

Walid Shaari ws at melinux.com
Mon Jul 15 12:54:07 UTC 2002


On Mon, 2002-07-15 at 13:01, Stephen Harker wrote:
> On Monday 15 July 2002 12:27, tet at accucard.com wrote:
> > >OK. So I ssh into the firewall (first time in a week or so) to discover
> > > loads of running processes ./a and a new user in my password file called
> > > dave. So out he goes and shutdown all the processes. Passwd file was
> > > locked so I removed /etc/ptmp and removed the dave entry. (BTW this is an
> > > OpenBSD box) Rebooted the machine. First mistake.
> > >Now my root password doesn't work any more. SO. Do I want to even bother
> > >fixing this machine up or shall I just rescue my pf and nat rules, wipe
> > > the box and start again? Will there be a load of backdoors and other
> > > nasties on there now?
> >
> > Yep, wipe the box and start again. For a firewall box, that's pretty
> > much the only option. Once it's been compromised, it's untrustworthy,
> > which for a firewall is pretty terminal...
> >
> > Tet
> Well! It turns out that apparently I'm gay and that "I have been owned " and 
> also that "The KREW has struck again". I take it that this is script-kiddy 
> stuff. I wonder how they got in. The only thing running was sshd. maybe they 
> got in through that. All the log messages have gone :-/
> Normal service shall resume in an hour or so...
> Steve

I thought I have replied to that earlier, mmh never mind 
take a look at what /. said several days ago :
http://bsd.slashdot.org/article.pl?sid=02/07/13/0346209&mode=thread&tid=172

thats how you have b33n owned :)
 
> -- 
> Stephen Harker
> steve at pauken.co.uk
> 
> "The sooner we fall behind, the longer we have to catch up!"
> 
> 
> -- 
> Gllug mailing list  -  Gllug at linux.co.uk
> http://list.ftech.net/mailman/listinfo/gllug
> 




-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list