Date: Mon, 27 Jun 2005 15:34:36 +0400 From: Oleg Rusanov <freebsd-security@molecon.ru> To: freebsd-security <freebsd-security@freebsd.org> Subject: Re[2]: "sh -i" My server was hacked. How can i found hole on my server? Message-ID: <1181649450.20050627153436@molecon.ru> In-Reply-To: <42BFDAB9.7010204@sochiwater.ru> References: <1344959974.20050627142110@molecon.ru> <42BFDAB9.7010204@sochiwater.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
> Also check that your kernel wasn't recompiled and that there aren't any > (known at least) rootkits (chkrootkit). > Anyway, IMHO, there are more ways to hide something in your system.. > If I were you, I'd do all this to try to know the real reason and to > keep that in mind for the future. Finally, I'd follow Jan Muenther's > advice to be sure that you're absolutely clean. amd64# uname -mirs FreeBSD 5.4-STABLE amd64 L71 amd64# amd64# kldstat Id Refs Address Size Name 1 2 0xffffffff80100000 470930 kernel 2 1 0xffffffffb45b0000 2213 nullfs.ko amd64# sysctl kern.securelevel kern.securelevel: -1 Shell account only for me. And "Php open_basedir" was disabled only for one account. So phpshell may go only from this account, but there are no phpbb hole on this account. hm. chrootkit not working, also after reinstall. Checking `bindshell'... INFECTED (PORTS: 465 4000) Checking `lkm'... here is he checking for a log time, i think its not normal. I continue to search. -- Regards, Oleg mailto:freebsd-security@molecon.ru
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1181649450.20050627153436>