From owner-freebsd-questions  Fri Aug  3  0:40:32 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from gekko.i-clue.de (server.ms-agentur.de [62.153.134.194])
	by hub.freebsd.org (Postfix) with ESMTP id 71D6837B405
	for <freebsd-questions@FreeBSD.ORG>; Fri,  3 Aug 2001 00:40:28 -0700 (PDT)
	(envelope-from so@server.i-clue.de)
Received: from i-clue.de (automatix.i-clue.de [192.168.0.112])
	by gekko.i-clue.de (8.9.3/8.9.3/SuSE Linux 8.9.3-0.1) with ESMTP id JAA32319;
	Fri, 3 Aug 2001 09:48:55 +0200
Message-ID: <3B6A55DD.32979F9F@i-clue.de>
Date: Fri, 03 Aug 2001 09:42:21 +0200
From: Christoph Sold <so@server.i-clue.de>
Reply-To: so@server.i-clue.de
X-Mailer: Mozilla 4.78 [en] (WinNT; U)
X-Accept-Language: de,en
MIME-Version: 1.0
To: Keith Spencer <bsd2000au@yahoo.com.au>
Cc: fbsd <freebsd-questions@FreeBSD.ORG>
Subject: Re: How can I tell I have been hacked?
References: <20010803045134.9495.qmail@web12006.mail.yahoo.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG



Keith Spencer wrote:
> 
> Hi all,
> Some mob contacted me and said I had been hacked by a
> group called Pakistan Cyber Warriors.
> Heard of them?

No.

> They say my site had a page place on it yesterday
> short term!
> How can I tell?
> Any ideas?
> What should I do? Close telnet ftp etc etc.?
> What is port 587 Submission?
> How can I trace a backdoor on my machine?
> So many questions.

Run portscans on the machine. Check against safe tripwire databases
(i.e. stored on read-only media, such as CD-Rs). Beware: you cannot
trust this machine to run portscans against itself. Use a known secure
box to do that.

If you have no record of the known safe state of your box, rebuild the
system from scratch, secure it, and put it not on the 'net until it is
secure. If you cannot afford the downtime, grab yourself another box,
make it secure, then install _data_only_ from the hacked box.

To learn more about how to secure your boxes,
http://ezine.daemonnews.org/200108/ has two recent articles about
security. http://freebsddiary.org/topics.php#firewalls ,
http://freebsddiary.org/topics.php#security , http://www.onlamp.com/bsd/
are other starting points about securing your box.

HTH
-Christoph Sold

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message