[Gllug] My firewall is rooted

tet at accucard.com tet at accucard.com
Mon Jul 15 11:27:17 UTC 2002

>OK. So I ssh into the firewall (first time in a week or so) to discover loads 
>of running processes ./a and a new user in my password file called dave. So 
>out he goes and shutdown all the processes. Passwd file was locked so I 
>removed /etc/ptmp and removed the dave entry. (BTW this is an OpenBSD box)
>Rebooted the machine. First mistake.
>Now my root password doesn't work any more. SO. Do I want to even bother 
>fixing this machine up or shall I just rescue my pf and nat rules, wipe the 
>box and start again? Will there be a load of backdoors and other nasties on 
>there now? 

Yep, wipe the box and start again. For a firewall box, that's pretty
much the only option. Once it's been compromised, it's untrustworthy,
which for a firewall is pretty terminal...


Gllug mailing list  -  Gllug at linux.co.uk

More information about the GLLUG mailing list