Date: Thu, 28 Aug 2003 17:22:25 +0200 From: "Guy P." <guy@device.dyndns.org> To: freeBSD-security@freebsd.org Subject: Re: compromised server Message-ID: <5.2.1.1.0.20030828171237.02796a00@device.dyndns.org> In-Reply-To: <C779A76E-D965-11D7-A329-000393DED9F6@jahmon.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 16:41 28/08/2003, jahmon wrote: >I have a server that has been compromised. >I'm running version 4.6.2 >when I do > > >last > >this line comes up in the list. >shutdown ~ Thu Aug 28 05:22 >That was the time the server went down. >There seemed to be some configuration changes. >Some of the files seemed to revert back to default versions >(httpd.conf, resolv.conf) > >Does anyone have a clue what type of exploit they may have used? >Is there anyway I can find out if there are any trojans installed? > >Thanks > >jahmon Usual process is to shut down the computer ASAP, never boot again from its current disk till it's wiped out / or you retrieved all the information you wanted. Instead, boot of a CD (live filesystem if you got it, but install cd could do too) and get sure to mount your (compromised) disk(s) readonly, without running anything executable out of it. Then proceed to investigation. First step would be chkrootkit (thu part of its tests require you to run it "live" on the suspicious system). Also spend some time reading the various /var/log files (but don't rely on their integrity). If you have an aide or tripwire "image" of your system somewhere, time to put it to use. For more ideas you could read for instance the archives of honeynet challenges ( http://project.honeynet.org/misc/chall.html ). gd'luk -- Guy
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.2.1.1.0.20030828171237.02796a00>