Date: Mon, 8 Apr 2002 22:27:21 +0200 From: "Ruben de Groot" <ruben@1729.net> To: "Todd Reed" <ex279@hotmail.com>, <freebsd-questions@FreeBSD.ORG> Subject: Re: Recovering from a Hack Message-ID: <009d01c1df3b$c9c240a0$0801a8c0@lan.1729.net> References: <F574koO7bhXfT433nD000005794@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
"Todd Reed" <ex279@hotmail.com> wrote: > I got hit last week by someone/something that has turned my BSDbox into a > DDOS attacker (I think). Every two or three days I have to reboot because > it starts flooding the network. Once I reboot it, it ges back to working > "normal". This is a temp fix for me until I can rebuild it in the next few > days, but I was wondering if some of you people could offer some personal > advice on building a more secure box. I know the basics (shutdown all > unnecessary ports, etc), but what are some issues or tricks that you have > used to make it more secure. I would like to get enough responses and > compile a list to post on www.freebsddiary.org. > > Also, if the events were to take place that your box was hacked and the > intruder turned it into a DDoS attacker, what would you look at to kill the > program? Results from a PS command look normal, but they could have changed > the PS file. You can only be sure if you reinstall. But beforehand you might want to gather some information. Check your logfiles for possible clues or gaps. Monitor network traffic from another machine. You could try chkrootkit from the ports tree. It's capable of exposing some common rootkits used by "script kiddies". If you're dealing with the more sophisticated cracker you're probably out of luck, but they are a minority. > > --Todd > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?009d01c1df3b$c9c240a0$0801a8c0>