Date: Mon, 15 Feb 2010 11:49:56 +0100 From: Erik Norgaard <norgaard@locolomo.org> To: freebsd-questions@freebsd.org Subject: Re: Cleaning up after attack? Message-ID: <4B7926D4.6000901@locolomo.org> In-Reply-To: <556594.6744.qm@web53507.mail.re2.yahoo.com> References: <556594.6744.qm@web53507.mail.re2.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 15/02/10 11:13, Dr. Jennifer Nussbaum wrote: > Hi. I have an up-to-date FreeBSD 7.2 box that has been compromised. Someone aparently got in to an account with certain admin priveleges and has been > sending spam. > > I disabled the account, shut off my MTA and used pf to block all traffic to port 25 out for good measure. > > How do i analyse what might have happened and what has been installed? > > Andis there anything to do other than rebuild the entire system to ensure that its clean? If the attacker had privileged access then he may have got a copy of master.password, you should assume all accounts compromised, if user data are shared with other servers, then all should be considered compromised. Blocking certain access say port 25 is insufficient. You should get it off the net until you are sure the system is clean as the attacker may have installed some daemon that communicates on a non-standard port. If you had things like tripwire installed you could get an idea of files modified. Otherwise you can use find to create a list of files modified since the attack, but this is only useful insofar as the attacker did not bother to reset access or modification times. It may be faster to rebuild everything rather than trying to figure out what may have been modified, if your main concern is to get the system back up rather than investigate the incident. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B7926D4.6000901>