From owner-freebsd-security@FreeBSD.ORG Thu Aug 11 15:50:25 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF05E16A423 for ; Thu, 11 Aug 2005 15:50:25 +0000 (GMT) (envelope-from yann@raven.kierun.org) Received: from raven.kierun.org (raven.yorksj.ac.uk [193.61.234.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id 437AC43D49 for ; Thu, 11 Aug 2005 15:50:25 +0000 (GMT) (envelope-from yann@raven.kierun.org) Received: from yann by raven.kierun.org with local (Exim 4.52 (FreeBSD)) id 1E3FK3-000Lmi-Lb; Thu, 11 Aug 2005 16:50:23 +0100 Date: Thu, 11 Aug 2005 16:50:23 +0100 From: Yann Golanski To: Ken Hawkins Message-ID: <20050811155023.GA83536@kierun.org> References: <97525439-C809-4E69-B191-F29585A1A71B@rosewoodblues.com> <20050811134650.GC26471@pcwin002.win.tue.nl> <1123772050.42fb669291ae3@webmail.boxke.be> <20050811150434.GD26471@pcwin002.win.tue.nl> <32C41BA6-A923-4A01-B332-8B73E39561B1@rosewoodblues.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="cNdxnHkX5QqsyA0e" Content-Disposition: inline In-Reply-To: <32C41BA6-A923-4A01-B332-8B73E39561B1@rosewoodblues.com> User-Agent: Mutt/1.5.9i Sender: "Yann Golanski, University of York, +44(0)1904-433088" Cc: freebsd-security@freebsd.org Subject: Re: newbie with www user security problem X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2005 15:50:26 -0000 --cNdxnHkX5QqsyA0e Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Quoth Ken Hawkins on Thu, Aug 11, 2005 at 11:32:44 -0400 > The box is secure that much i have found out. the only problems have =20 > been with this email spamming. nothing in the tmp dirs out of the =20 > ordinary and no missing files running scripts etc. I have changed =20 > everyone passwords on the box. *'d the www password, ensured there is =20 > no shell with the www user, etc. Have you run chkrootkit on it? =20 > i am in the process of upgrading the ports now and there are problems =20 > (of course). the ports seem to have been mangled as the listing in /=20 > var/db/ports does not match what i KNOW is running on the box. The =20 > person i have inherited this from manually deleted from the /var/db/=20 > ports to get some of the applications to re-install! gotta love that! ICK! Make sure you database is fine otherwise, you'll get into no end of trouble.=20 =20 > well here i come port fix hell! This is a production box and can't be =20 > taken off line as of this moment so i am going to have to attempt on =20 > the fly fixing / upgrading of the ports. i would love to wipe it but =20 > it is just not a possibility right now. Oh dear. How about living it as is -- minus the spam emailer -- and rebuilding another one to replace it? =20 =20 --=20 yann@kierun.org -=3D*=3D- www.kierun.= org PGP: 009D 7287 C4A7 FD4F 1680 06E4 F751 7006 9DE2 6318 --cNdxnHkX5QqsyA0e Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFC+3O/91FwBp3iYxgRAi9uAKCWP+0Ze2dbT6+boa640reKQiLBwgCfRaLL FANRn3l1rZIJpd7Jc4QKigE= =L38G -----END PGP SIGNATURE----- --cNdxnHkX5QqsyA0e--