Date: Mon, 08 Mar 2004 19:02:17 -0000 From: "Remko Lodder" <remko@elvandar.org> To: "re re" <qt4x11@linuxmail.org>, <freebsd-questions@freebsd.org> Subject: RE: hacked Message-ID: <20040308190212.F3AB92B4DAB@mail.evilcoder.org> In-Reply-To: <20040308185636.BB40924@mail.elvandar.org>
next in thread | previous in thread | raw e-mail | index | archive | help
you should make a copy of your current harddrive, and lock the otherone in a safe or something , so that you can always make additional copy's. This requires a same sized harddisk in a other working system.. But that is propably not what you have, You should check your webserver logs/ftp logs, for bogus entries Note that firewalling does not prevent webdefacements, why? Well port 80/20/21 is allowed traffic, so people can get in. IT might be possible that your ftp server got breached, what version did you run? What webserver did you run? with php? Is there even the slightest possibility that you had rwx settings on the tree where your webfiles are in, so that one could have written code to it, or even worse, changing your index file. I had it myself with a bogus Slashdot topic script, that allowed remote users to write into my files, one of my includes was overwritten and i got a website your.com, instead of my three tabled layout ... oops, was the script and rwx permissions in the tree.. Goodluck !! -- Kind regards, Remko Lodder Elvandar.org/DSINet.org www.mostly-harmless.nl Dutch community for helping newcomers on the hackerscene -----Oorspronkelijk bericht----- Van: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org]Namens re re Verzonden: maandag 8 maart 2004 19:56 Aan: freebsd-questions@freebsd.org Onderwerp: hacked hello despite having ipfilter blocking all ports except 80 21 and 22, tripwire, and scoring 999999 in nmap, my website got defaced. the box is currently unplugged. i wanted to know what is the best way to find out who did it and how they got in, and what to do from here. tripwire shows a lot of files changed, most of which could be attributed to cvsup'ing recently. any other security precautions to take disaster recovery guides? i've already changed p/w's on my other boxes. thanks -- ______________________________________________ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040308190212.F3AB92B4DAB>