From owner-freebsd-security@FreeBSD.ORG  Fri Aug 29 05:37:34 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6378416A4BF
	for <freeBSD-security@freebsd.org>;
	Fri, 29 Aug 2003 05:37:34 -0700 (PDT)
Received: from sccrmhc12.comcast.net (sccrmhc12.comcast.net [204.127.202.56])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 96AF743FE0
	for <freeBSD-security@freebsd.org>;
	Fri, 29 Aug 2003 05:37:33 -0700 (PDT)
	(envelope-from rootman22@comcast.net)
Received: from 12-209-185-111.client.attbi.com ([12.209.185.111])
          by comcast.net (sccrmhc12) with SMTP
          id <20030829123732012005vt45e>; Fri, 29 Aug 2003 12:37:32 +0000
From: Joe Warner <rootman22@comcast.net>
To: jahmon <jahmon@jahmon.com>, freeBSD-security@freebsd.org
Date: Fri, 29 Aug 2003 06:38:12 -0600
User-Agent: KMail/1.5.2
References: <C779A76E-D965-11D7-A329-000393DED9F6@jahmon.com>
In-Reply-To: <C779A76E-D965-11D7-A329-000393DED9F6@jahmon.com>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200308290638.12847.rootman22@comcast.net>
Subject: Re: compromised server
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Aug 2003 12:37:34 -0000

Hi Jahmon,

I'd highly recommend you try The Coroners Toolkit (TCT):

http://www.porcupine.org/forensics/tct.html

Take a look at "Help! Someone has broken into my system!'

http://www.fish.com/tct/help-when-broken-into

..at the bottom of the page.

Good luck,

Joe




On Thursday 28 August 2003 08:41 am, jahmon wrote:
> I have a server that has been compromised.
> I'm running version 4.6.2
> when I do
>
>  >last
>
> this line comes up in the list.
> shutdown         ~                         Thu Aug 28 05:22
> That was the time the server went down.
> There seemed to be some configuration changes.
> Some of the files seemed to revert back to default versions
> (httpd.conf, resolv.conf)
>
> Does anyone have a clue what type of exploit they may have used?
> Is there anyway I can find out if there are any trojans installed?
>
> Thanks
>
> jahmon
>
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"