Date: Wed, 16 Nov 2005 20:06:22 -0600 From: Will Maier <willmaier@ml1.net> To: freebsd-security@freebsd.org Subject: Re: Need urgent help regarding security Message-ID: <20051117020622.GE26954@localdomain> In-Reply-To: <20051117012552.46503.qmail@web51607.mail.yahoo.com> References: <20051117012552.46503.qmail@web51607.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Nov 16, 2005 at 05:25:52PM -0800, Mark Jayson Alvarez wrote: > However, we still haven't brought the server down in an attempt to > track the intruder down. Right now we are clueless as to what we > need to do.. Most of our servers are running legacy operating > systems(old versions mostly freebsd) Also, that particular server > is running - ProFTPD Version 1.2.4 which someone have suggested to > have a known vulnerability.. You should take the box off the network immediately. Before doing so, get a dump of all open files using lsof(8), especially open network sockets. The following is a start: <as root> $ lsof -Pni > /root/openfiles.txt Do not use shutdown(8) or reboot(8) to shut the machine down, as these may trigger scripts that could remove or obfuscate evidence of the breakin. Simply powering the machine off will leave it in a relatively pristine state. The machine will need to be rebuilt, and all passwords on it retired. Consider whether the attacker could have compromised other systems on your network via this machine; if so, change relevant passwords and investigate further. Do not boot from the compromised hard disk again; instead, mount it on a safe machine and take a disk image. Do not alter the disk itself -- all investigation should occur using copies of the image. If the other machines are in a state similar to the compromised machine (in terms of OS upgrades, software upgrades, exposure), develop a plan to bring them to a known safe/protected level. At a minimum, unnecessary services should be turned off, strict password requirements should be set, and all software (OS and third party) should be updated. For extra credit: Using the image and the dump of open files, try to determine the vector used to launch the attack. Understanding how they got in might help you as you move to secure your other machines. You're going to have rather a lot of work to do, unfortunately, which is a rough way to start at your new job. If the previous admin had kept the machines up to date, the likelihood that you'd have to respond to a security incident on unfamiliar systems would be dramatically lessened. Do the next admin a favor: keep these machines secure after you rebuild them. -- o--------------------------{ Will Maier }--------------------------o | jabber:..wcmaier@jabber.ccc.de | email:..........wcmaier@ml1.net | | \.........wcmaier@cae.wisc.edu | \..........wcmaier@cae.wisc.edu | *------------------[ BSD Unix: Live Free or Die ]------------------*
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051117020622.GE26954>