On my laptop, on session #1, and I get a notice that someone did an su.
Except I'm the only user and I didn't have an ethernet cord connected.
(And no, it wasn't me...)
I just built this laptop a few days ago. Fresh. I did have to get on the
net to download/make/install a few critical packages. I do development.
My guess, not one shred of evidence, is that someone got in while I was
re-building packages. Some, (for example Maxima,) take hours. And because
of problems with gnuplot and pdflib, won't build as packages without
And how would they have done that:
- weak root password or something ?
- did you allow rootlogin at all through SSH ?
I work with dozens of FreeBSD boxes at work, all of which are under
heavy load and present juicy targets for attackers.
We've not had a single breach in security since I started.
You're looking for means of increasing security, it seems to me, once an
attacker already has the root.
I would suggest preventing said attacker from obtaining the root in the
Perhaps one of the packages you downloaded was backdoored ?