Date: Tue, 5 Jan 1999 13:42:49 +1100 (EST) From: Jim Mock <jim@corp.au.triax.com> To: Mike Alich <hostmaster@cctinc.net> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: HACKED & SECURITY Message-ID: <Pine.BSF.4.05.9901051327490.264-100000@corp.au.triax.com> In-Reply-To: <36916425.10286B80@cctinc.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 4 Jan 1999, Mike Alich wrote: > I am hoping you can help me... > > My server got hacked and there was no evidence in the root .history > file of there actions. I believe they have a backdoor program on > the server they run. > Do a find for ... directories.. find / -name "..." -print It'd be interesting to see if they've got any hidden. A guess would be /usr/lib/... or /dev/... Also check /dev for any devices that shouldn't be there or that look suspicious. That could be their backdoor. > I have disabled all shell login except myself. > The only inetd running is FTP and qpopper mail server. > Make sure that your network interface isn't in promiscous mode. If it is, there's most likely a sniffer running.. ifconfig -a |grep PROMISC or just ifconfig -a should do it.. netstat -rn may also come in handy. If it is (even if it isn't) in promiscuous mode, take the machine offline and change the passwords for anyone who has shell access (including root). Then bring it back up and if they did have your password, it won't work. What version of qpopper is it? If it's under 2.53, upgrade. Check /var/log/messages for traces of anyone getting in other than you. If you need to, set up syslog to log everything there. > I only use ssh for server access > Good. > And I have done binary file restores from the live file system cd > to the following: > /bin > /sbin > /usr/bin > /usr/sbin > /usr/libexec > > Is there any other file areas (binaries) I need to restore? > There's list of files commonly replaced on the CERT web site.. http://www.cert.org/. See the "Decect and Recover from an Incident" section. > I have run diff's on all of the above files and they are good. > Good. > Also do you have any ideas of how they got in. I believe they have > been in for a while now. > My guess would be popper if it's an older version, or if it was an older version. How long do you think they've had access? Hope this helps, -- : Jim Mock | [jim@corp.au.triax.com] : : System Administrator | http://www.triax.com/ : : Triax Internet Services | ----------------------------- : : Portland, OR USA | FreeBSD: The Power to Serve : : Wagga Wagga, NSW Australia | http://www.freebsd.org/ : To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9901051327490.264-100000>