From owner-freebsd-questions Mon Jan 4 17:09:48 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA05959 for freebsd-questions-outgoing; Mon, 4 Jan 1999 17:09:48 -0800 (PST) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from server1.cctinc.net (NS1.cyber-com.net [209.118.223.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA05868 for ; Mon, 4 Jan 1999 17:08:18 -0800 (PST) (envelope-from hostmaster@cctinc.net) Received: from cctinc.net ([209.118.223.117]) by server1.cctinc.net (8.8.7/8.8.7) with ESMTP id UAA02822 for ; Mon, 4 Jan 1999 20:13:13 -0500 (EST) (envelope-from hostmaster@cctinc.net) Message-ID: <36916425.10286B80@cctinc.net> Date: Mon, 04 Jan 1999 20:00:21 -0500 From: Mike Alich X-Mailer: Mozilla 4.05 [en] (Win95; I) MIME-Version: 1.0 To: freebsd-questions@FreeBSD.ORG Subject: HACKED & SECURITY Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I am hoping you can help me... My server got hacked and there was no evidence in the root .history file of there actions. I believe they have a backdoor program on the server they run. I have disabled all shell login except myself. The only inetd running is FTP and qpopper mail server. I only use ssh for server access And I have done binary file restores from the live file system cd to the following: /bin /sbin /usr/bin /usr/sbin /usr/libexec Is there any other file areas (binaries) I need to restore? I have run diff's on all of the above files and they are good. Also do you have any ideas of how they got in. I believe they have been in for a while now. I really cant do a full re-install because there is too much custom work on the server. Any suggestions would be appreciated. Thanks in advanced! -- Mike Alich mike@cctinc.net Cyber Communication Technologies, Inc. Web Hosting and Internet Solutions. http://www.cctinc.net Virtual Web Hosting $14.95 per month To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message