Date: Fri, 29 Aug 2003 06:38:12 -0600 From: Joe Warner <rootman22@comcast.net> To: jahmon <jahmon@jahmon.com>, freeBSD-security@freebsd.org Subject: Re: compromised server Message-ID: <200308290638.12847.rootman22@comcast.net> In-Reply-To: <C779A76E-D965-11D7-A329-000393DED9F6@jahmon.com> References: <C779A76E-D965-11D7-A329-000393DED9F6@jahmon.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Jahmon, I'd highly recommend you try The Coroners Toolkit (TCT): http://www.porcupine.org/forensics/tct.html Take a look at "Help! Someone has broken into my system!' http://www.fish.com/tct/help-when-broken-into ..at the bottom of the page. Good luck, Joe On Thursday 28 August 2003 08:41 am, jahmon wrote: > I have a server that has been compromised. > I'm running version 4.6.2 > when I do > > >last > > this line comes up in the list. > shutdown ~ Thu Aug 28 05:22 > That was the time the server went down. > There seemed to be some configuration changes. > Some of the files seemed to revert back to default versions > (httpd.conf, resolv.conf) > > Does anyone have a clue what type of exploit they may have used? > Is there anyway I can find out if there are any trojans installed? > > Thanks > > jahmon > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200308290638.12847.rootman22>