From owner-freebsd-questions@FreeBSD.ORG Tue Mar 9 15:50:11 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3AF2D16A4CE for ; Tue, 9 Mar 2004 15:50:11 -0800 (PST) Received: from smtp10.wxs.nl (smtp10.wxs.nl [195.121.6.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id F03E343D45 for ; Tue, 9 Mar 2004 15:50:10 -0800 (PST) (envelope-from freebsd@akruijff.dds.nl) Received: from kruij557.speed.planet.nl (ipd50a97ba.speed.planet.nl [213.10.151.186]) by smtp10.wxs.nl (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18 2003)) with ESMTP id <0HUC00E3122K9C@smtp10.wxs.nl> for freebsd-questions@freebsd.org; Wed, 10 Mar 2004 00:47:09 +0100 (MET) Received: from alex.lan (localhost [127.0.0.1]) by kruij557.speed.planet.nl (8.12.10/8.12.10) with ESMTP id i29Nnx3A025331; Wed, 10 Mar 2004 00:50:00 +0100 Received: (from akruijff@localhost) by alex.lan (8.12.10/8.12.10/Submit) id i29NnxG6025330; Wed, 10 Mar 2004 00:49:59 +0100 Content-return: prohibited Date: Wed, 10 Mar 2004 00:49:59 +0100 From: Alex de Kruijff In-reply-to: <20040308185615.9C4CC4160BD@ws5-2.us4.outblaze.com> To: re re Message-id: <20040309234959.GC24012@alex.lan> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.4.2.1i References: <20040308185615.9C4CC4160BD@ws5-2.us4.outblaze.com> X-Authentication-warning: alex.lan: akruijff set sender to freebsd@akruijff.dds.nl using -f cc: freebsd-questions@freebsd.org Subject: Re: hacked X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Mar 2004 23:50:11 -0000 On Tue, Mar 09, 2004 at 02:56:15AM +0800, re re wrote: > hello > despite having ipfilter blocking all ports except 80 21 and 22, tripwire, and scoring 999999 in nmap, my website got defaced. > the box is currently unplugged. i wanted to know what is the best way to find out who did it and how they got in, and what to do from here. tripwire shows a lot of files changed, most of which could be attributed to cvsup'ing recently. any other security precautions to take disaster recovery guides? i've already changed p/w's on my other boxes. Dear Re, Could you please cut you text so that the lines are less then 72 char. I'm on a console and this does read a bit difficult. What you could do to make you box more secure: - Run portsentry - Run a jail Whow you can find out how they broke in and who they are? - The log files whould be your first clue. However this could be modified by the cracker. - Check changes in tripwire - Look for strange files - Check what programs are started - Check of security compremisses. - Check if any backdoors where installed. -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/