From owner-freebsd-questions@FreeBSD.ORG Thu Nov 17 04:13:27 2005 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1E71816A41F for ; Thu, 17 Nov 2005 04:13:27 +0000 (GMT) (envelope-from jay2xra@yahoo.com) Received: from web51603.mail.yahoo.com (web51603.mail.yahoo.com [206.190.38.208]) by mx1.FreeBSD.org (Postfix) with SMTP id 85A0B43D45 for ; Thu, 17 Nov 2005 04:13:26 +0000 (GMT) (envelope-from jay2xra@yahoo.com) Received: (qmail 62827 invoked by uid 60001); 17 Nov 2005 04:13:19 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=KTtkm3w/6Jv+GXRBw9ygjFP6lN3UqjO4m9BjIF53G4oJGybjQTG1lOVN6IuF6Q16RkK9TfEOH8jt3ojIrm2nNFq1rJEiIl7KxozidSS4gAW4ewpbB03DKiWBXNx40Cecaa7T8mjua79p4nXt2xsr85ldqRIwOo5YadHOwt9GZbE= ; Message-ID: <20051117041319.62825.qmail@web51603.mail.yahoo.com> Received: from [202.90.128.21] by web51603.mail.yahoo.com via HTTP; Wed, 16 Nov 2005 20:13:18 PST Date: Wed, 16 Nov 2005 20:13:18 -0800 (PST) From: Mark Jayson Alvarez To: Steve Bertrand In-Reply-To: <20051117031649.11B9D43D49@mx1.FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: 'FreeBSD Questions' Subject: RE: Need urgent help regarding security X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2005 04:13:27 -0000 Steve Bertrand wrote: > Now what I want to do is to just reinstall the whole > operating system and secure it as possible as I can. Like > someone told, its just a waste to try to track it down > because the intruder might be located somewhere on the other > side of the world. They are always on the other side of the world...this is the Internet. If that is your solution, I would recommend reconfiguring your FTP servers DNS entries, and applying another IP to the box,lest you be affected again. However, that won't even fix it, becuase it will just be found again by someone else. Unplugging the box just informs the attacker that you are aware of them. Moving the IP just makes people re-locate you. The solution is make the box accessible to only those who need it...and only the services they need. .02 Steve No, that is not the solution I'm thinking of.. You see right now, that machine contains at least 200 Gb of important files... I'm just paranoid that the intruder might just launch an rm -rf. Right now we don't have a backup of those files yet. I'm really eager to know how the intruder got into our machine, I'm just afraid that he might be reading everything I am typing in the terminal. I am also dissapointed because most of our server configuration files are in my home directory but doing the ls /tmp.... I found those files. Those files are our proxy configurations containing all of our peer proxies (ipaddress) and also the squid.conf which I'm afraid that the intruder can use to launch an attack to our proxy farm. You see those proxies aren't in a much secure mode yet but they are the MOST critical service in our company because all of our partners are passing through that proxies. Now what I really wan't to do is to just do the right thing but only one by one. I got so many replies, someone even suggested finding out the irc channel and try to have a little chat with the intruders. Someone suggested putting up a firewall before it and try to dump the packets to retrieve relevant informations. I'm really so confused right now as to where to start.... Right now, the server is currently inaccessible from the network, but it is still running( I just remembered someone suggested not shutting it down because the script the intruder used might get automatically erased). From there... where should I start.? Thank you very much. --------------------------------- Yahoo! FareChase - Search multiple travel sites in one click.