Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 11 Aug 2005 16:50:23 +0100
From:      Yann Golanski <yann@kierun.org>
To:        Ken Hawkins <ken@rosewoodblues.com>
Cc:        freebsd-security@freebsd.org
Subject:   Re: newbie with www user security problem
Message-ID:  <20050811155023.GA83536@kierun.org>
In-Reply-To: <32C41BA6-A923-4A01-B332-8B73E39561B1@rosewoodblues.com>
References:  <97525439-C809-4E69-B191-F29585A1A71B@rosewoodblues.com> <20050811134650.GC26471@pcwin002.win.tue.nl> <1123772050.42fb669291ae3@webmail.boxke.be> <20050811150434.GD26471@pcwin002.win.tue.nl> <32C41BA6-A923-4A01-B332-8B73E39561B1@rosewoodblues.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

--cNdxnHkX5QqsyA0e
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Quoth Ken Hawkins on Thu, Aug 11, 2005 at 11:32:44 -0400
> The box is secure that much i have found out. the only problems have =20
> been with this email spamming. nothing in the tmp dirs out of the =20
> ordinary and no missing files running scripts etc. I have changed =20
> everyone passwords on the box. *'d the www password, ensured there is =20
> no shell with the www user, etc.

Have you run chkrootkit on it?
=20
> i am in the process of upgrading the ports now and there are problems =20
> (of course). the ports seem to have been mangled as the listing in /=20
> var/db/ports does not match what i KNOW is running on the box. The =20
> person i have inherited this from manually deleted from the /var/db/=20
> ports to get some of the applications to re-install! gotta love that!

ICK!  Make sure you database is fine otherwise, you'll get into no end
of trouble.=20
=20
> well here i come port fix hell! This is a production box and can't be =20
> taken off line as of this moment so i am going to have to attempt on =20
> the fly fixing / upgrading of the ports.  i would love to wipe it but =20
> it is just not a possibility right now.

Oh dear.  How about living it as is -- minus the spam emailer -- and
rebuilding another one to replace it? =20
=20
--=20
yann@kierun.org                  -=3D*=3D-                      www.kierun.=
org
    PGP:   009D 7287 C4A7 FD4F 1680  06E4 F751 7006 9DE2 6318

--cNdxnHkX5QqsyA0e
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFC+3O/91FwBp3iYxgRAi9uAKCWP+0Ze2dbT6+boa640reKQiLBwgCfRaLL
FANRn3l1rZIJpd7Jc4QKigE=
=L38G
-----END PGP SIGNATURE-----

--cNdxnHkX5QqsyA0e--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050811155023.GA83536>