Date: Mon, 27 Jun 2005 12:31:25 +0200 From: =?ISO-8859-1?Q?K=F6vesd=E1n_G=E1bor?= <gabor.kovesdan@t-hosting.hu> To: Oleg Rusanov <freebsd-amd64@molecon.ru> Cc: freebsd-security@freebsd.org Subject: Re: "sh -i" My server was hacked. How can i found hole on my server? Message-ID: <42BFD57D.8090806@t-hosting.hu> In-Reply-To: <1525910592.20050627141014@molecon.ru> References: <1525910592.20050627141014@molecon.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Oleg Rusanov wrote: > What is better to do for clean my system? > > > You should backup the data You need. You can also save You configuration files: httpd.conf, etc. Then make a clean install from disc. The intruder could install a rootkit, and modify system binaries. The best thing You can do is reinstall everything. >How can i found hole on my server? > > > It is the harder part. 1, Check You FreeBSD version in uname -a. Is it up-to-date? Have You upgraded to the appropriate security branch? Or does it have some security issues? 2, Think about what network daemons You are using. Check the version numbers and look for security advisories on the project homepage and in mailing list archives. Does something have a vulnerability? 3, Now. Check all the homepages You have. There could be somewhere a deficiency in point of security? If You use open-source portal projects like phpbb You mentioned, look for security advisories on the project homepage, or in mailing list archives. If You have custom php code, You should examine them. 4, You can never trust anybody.... Is there local users on the machine? They might take a local root exploit if there is such vulnerability. If You haven't found the hole so far, You should look for advisories again... You should examine every package that You have installed. The prevention is extremely important: 1, Subscribe to freebsd-announce and to freebsd-security-notifications and upgrade Your system if necessary. 2, Subscribe to announce and security lists of *each* software You use and upgrade them if necessary. 3, Place only trusted and secure code to the hosted websites. 4, If somebody don't need a unix account don't give him one. Or if he need, try to minimize the privileges he gets. The most powerful protection is to setup a jail environment and using this for giving out user accounts. Cheers, Gábor Kövesdán P.S.: I've removed freebsd-amd64 from cc list, since it is related to freebsd-security. *** <http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications>*
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42BFD57D.8090806>