Date: Thu, 28 Aug 2003 18:15:00 +0200 From: "Devon H. O'Dell" <dodell@sitetronics.com> To: jahmon <jahmon@jahmon.com>, freebsd-security@freebsd.org Subject: Re: compromised server Message-ID: <3F4E2A84.4050007@sitetronics.com> In-Reply-To: <BFD67654-D969-11D7-A329-000393DED9F6@jahmon.com> References: <BFD67654-D969-11D7-A329-000393DED9F6@jahmon.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Heh, I forgot to send this to the group... so here it is. To check for suid and sgid programs, run the following command: |find / -type f \(-perm -04000 -o -perm -02000 \) Hope this helps. --Devon | jahmon wrote: > Devon, > > checked the /var/log - nothing strange found > ran chkrootkit - nothing found > checked user accounts - no new accounts found > > how do I check for suid permissions. > > Thanks, > > jahmon > On Thursday, Aug 28, 2003, at 10:55 US/Eastern, Devon H. O'Dell wrote: > >> You will want to read everything in /var/log, run chkrootkit, check >> out .history files, look for new user accounts, look for files with >> suid permissions and other similar stuff. I don't know of a site that >> really says what exactly to do. If someone knows such a reference, >> it'd be highly useful. Otherwise, is anybody willing to write one >> (I'd be willing to contribute). >> >> One good thing may be to search for computer forensics on Google; >> specifically for comprimised servers. Combining those and other words >> may give you varying levels of success, I think. >> >> --Devon >> >> jahmon wrote: >> >>> I have a server that has been compromised. >>> I'm running version 4.6.2 >>> when I do >>> >>> >last >>> >>> this line comes up in the list. >>> shutdown ~ Thu Aug 28 05:22 >>> That was the time the server went down. >>> There seemed to be some configuration changes. >>> Some of the files seemed to revert back to default versions >>> (httpd.conf, resolv.conf) >>> >>> Does anyone have a clue what type of exploit they may have used? >>> Is there anyway I can find out if there are any trojans installed? >>> >>> Thanks >>> >>> jahmon >>> >>> _______________________________________________ >>> freebsd-security@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-security >>> To unsubscribe, send any mail to >>> "freebsd-security-unsubscribe@freebsd.org" >>> >>> >> > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F4E2A84.4050007>