Date: Wed, 10 Mar 2004 00:49:59 +0100 From: Alex de Kruijff <freebsd@akruijff.dds.nl> To: re re <qt4x11@linuxmail.org> Cc: freebsd-questions@freebsd.org Subject: Re: hacked Message-ID: <20040309234959.GC24012@alex.lan> In-Reply-To: <20040308185615.9C4CC4160BD@ws5-2.us4.outblaze.com> References: <20040308185615.9C4CC4160BD@ws5-2.us4.outblaze.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Mar 09, 2004 at 02:56:15AM +0800, re re wrote: > hello > despite having ipfilter blocking all ports except 80 21 and 22, tripwire, and scoring 999999 in nmap, my website got defaced. > the box is currently unplugged. i wanted to know what is the best way to find out who did it and how they got in, and what to do from here. tripwire shows a lot of files changed, most of which could be attributed to cvsup'ing recently. any other security precautions to take disaster recovery guides? i've already changed p/w's on my other boxes. Dear Re, Could you please cut you text so that the lines are less then 72 char. I'm on a console and this does read a bit difficult. What you could do to make you box more secure: - Run portsentry - Run a jail Whow you can find out how they broke in and who they are? - The log files whould be your first clue. However this could be modified by the cracker. - Check changes in tripwire - Look for strange files - Check what programs are started - Check of security compremisses. - Check if any backdoors where installed. -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040309234959.GC24012>