From owner-freebsd-security@FreeBSD.ORG Mon Jun 27 11:34:49 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BDC9E16A41C for ; Mon, 27 Jun 2005 11:34:49 +0000 (GMT) (envelope-from freebsd-security@molecon.ru) Received: from amd64.molecon.ru (amd64.molecon.ru [213.219.245.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 684E043D4C for ; Mon, 27 Jun 2005 11:34:49 +0000 (GMT) (envelope-from freebsd-security@molecon.ru) Received: from [194.154.84.59] (helo=[10.20.5.22]) by amd64.molecon.ru with esmtp (Exim 4.51 (FreeBSD)) id 1Dmrsm-0008zG-8X for freebsd-security@freebsd.org; Mon, 27 Jun 2005 15:34:32 +0400 Date: Mon, 27 Jun 2005 15:34:36 +0400 From: Oleg Rusanov X-Mailer: The Bat! (v3.0) Professional Organization: Molecon X-Priority: 3 (Normal) Message-ID: <1181649450.20050627153436@molecon.ru> To: freebsd-security In-Reply-To: <42BFDAB9.7010204@sochiwater.ru> References: <1344959974.20050627142110@molecon.ru> <42BFDAB9.7010204@sochiwater.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-PopBeforeSMTPSenders: freebsd-amd64@molecon.ru, freebsd-opennet@molecon.ru, info@molecon.ru, mysql@molecon.ru, oleg@molecon.ru X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - amd64.molecon.ru X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [26 6] X-AntiAbuse: Sender Address Domain - molecon.ru X-Source: X-Source-Args: X-Source-Dir: Subject: Re[2]: "sh -i" My server was hacked. How can i found hole on my server? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Oleg Rusanov List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jun 2005 11:34:49 -0000 > Also check that your kernel wasn't recompiled and that there aren't any > (known at least) rootkits (chkrootkit). > Anyway, IMHO, there are more ways to hide something in your system.. > If I were you, I'd do all this to try to know the real reason and to > keep that in mind for the future. Finally, I'd follow Jan Muenther's > advice to be sure that you're absolutely clean. amd64# uname -mirs FreeBSD 5.4-STABLE amd64 L71 amd64# amd64# kldstat Id Refs Address Size Name 1 2 0xffffffff80100000 470930 kernel 2 1 0xffffffffb45b0000 2213 nullfs.ko amd64# sysctl kern.securelevel kern.securelevel: -1 Shell account only for me. And "Php open_basedir" was disabled only for one account. So phpshell may go only from this account, but there are no phpbb hole on this account. hm. chrootkit not working, also after reinstall. Checking `bindshell'... INFECTED (PORTS: 465 4000) Checking `lkm'... here is he checking for a log time, i think its not normal. I continue to search. -- Regards, Oleg mailto:freebsd-security@molecon.ru