Date: Thu, 28 Aug 2003 09:45:24 -0700 (PDT) From: twig les <twigles@yahoo.com> To: "Devon H. O'Dell" <dodell@sitetronics.com>, jahmon <jahmon@jahmon.com>, freebsd-security@freebsd.org Subject: Re: compromised server Message-ID: <20030828164524.7275.qmail@web10105.mail.yahoo.com> In-Reply-To: <3F4E2A84.4050007@sitetronics.com>
next in thread | previous in thread | raw e-mail | index | archive | help
No one will be able to even guess how they got in without knowing what you are running on the box (IIS, MSSql, etc. [hahah, jk]). Although this may be belated, there is an excellent book called "Incident Response: Investigating Computer Crime" from authors Mandia and Prosise. Unfortunately I can almost guaruntee that the advice the book will give you is to restore from the last known-good backup after re-installing the OS cleanly. If you were going to try to go hardcore forensics on an intrusion you would have to already have a nice set of utilities, hopefully on CD or floppy, ready to be mounted like: ps, ls, top, The Coroner's Toolkit, etc (I'm sure I'm missing a bunch). Sorry for the doom and gloom (and the lame MS joke) but the book is truly a fascinating read even if you have nothing to do with incident response. --- "Devon H. O'Dell" <dodell@sitetronics.com> wrote: > Heh, I forgot to send this to the group... so here it is. > > To check for suid and sgid programs, run the following > command: > > |find / -type f \(-perm -04000 -o -perm -02000 \) > > Hope this helps. > > --Devon > | > jahmon wrote: > > > Devon, > > > > checked the /var/log - nothing strange found > > ran chkrootkit - nothing found > > checked user accounts - no new accounts found > > > > how do I check for suid permissions. > > > > Thanks, > > > > jahmon > > On Thursday, Aug 28, 2003, at 10:55 US/Eastern, Devon H. > O'Dell wrote: > > > >> You will want to read everything in /var/log, run > chkrootkit, check > >> out .history files, look for new user accounts, look for > files with > >> suid permissions and other similar stuff. I don't know of a > site that > >> really says what exactly to do. If someone knows such a > reference, > >> it'd be highly useful. Otherwise, is anybody willing to > write one > >> (I'd be willing to contribute). > >> > >> One good thing may be to search for computer forensics on > Google; > >> specifically for comprimised servers. Combining those and > other words > >> may give you varying levels of success, I think. > >> > >> --Devon > >> > >> jahmon wrote: > >> > >>> I have a server that has been compromised. > >>> I'm running version 4.6.2 > >>> when I do > >>> > >>> >last > >>> > >>> this line comes up in the list. > >>> shutdown ~ Thu Aug 28 > 05:22 > >>> That was the time the server went down. > >>> There seemed to be some configuration changes. > >>> Some of the files seemed to revert back to default > versions > >>> (httpd.conf, resolv.conf) > >>> > >>> Does anyone have a clue what type of exploit they may have > used? > >>> Is there anyway I can find out if there are any trojans > installed? > >>> > >>> Thanks > >>> > >>> jahmon > >>> > >>> _______________________________________________ > >>> freebsd-security@freebsd.org mailing list > >>> http://lists.freebsd.org/mailman/listinfo/freebsd-security > >>> To unsubscribe, send any mail to > >>> "freebsd-security-unsubscribe@freebsd.org" > >>> > >>> > >> > > > > > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" ===== ----------------------------------------------------------- Emo is what happens when the glee club goes punk. ----------------------------------------------------------- __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030828164524.7275.qmail>