From owner-freebsd-security@FreeBSD.ORG Mon Feb 16 12:20:52 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8445D16A4CE for ; Mon, 16 Feb 2004 12:20:52 -0800 (PST) Received: from malasada.lava.net (malasada.lava.net [64.65.64.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id 71DCA43D3F for ; Mon, 16 Feb 2004 12:20:52 -0800 (PST) (envelope-from cliftonr@lava.net) Received: by malasada.lava.net (Postfix, from userid 102) id 06F8E15390E; Mon, 16 Feb 2004 10:20:52 -1000 (HST) Date: Mon, 16 Feb 2004 10:20:51 -1000 From: Clifton Royston To: Duncan Campbell Message-ID: <20040216202051.GA15307@tikitechnologies.com> Mail-Followup-To: Duncan Campbell , freebsd-security@freebsd.org References: <20040216200052.BAC7C16A4FA@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040216200052.BAC7C16A4FA@hub.freebsd.org> User-Agent: Mutt/1.4.2i X-Mailman-Approved-At: Tue, 17 Feb 2004 02:08:17 -0800 cc: freebsd-security@freebsd.org Subject: Re: Rooted system X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Feb 2004 20:20:52 -0000 On Mon, Feb 16, 2004 at 12:00:52PM -0800, freebsd-security-request@freebsd.org wrote: > Date: Mon, 16 Feb 2004 01:20:23 +0100 > From: "Remko Lodder" > Subject: RE: [Freebsd-security] Rooted system > To: "Duncan Campbell" , > > Message-ID: <20040216001944.306A92B4D6C@mail.evilcoder.org> > Content-Type: text/plain; charset="iso-8859-1" > > Hi, > > > And now what? [ You are unclear to me ] > > Well, you could use a Security Toolkit Distribution from Knoppix, called > knoppix-std > And do some research with that. More generic forensic help (less Linux-specific) might come from the "Coroner's Toolkit" from the team of Wietse Venema and Dan Farmer (SATAN et al., and also TCPwrap and Postfix in the case of Wietse.) It's supposed to be pretty cross-platform with BSD support. Sounds like it might already be a bit late to do deep forensics on the system but maybe better late than never. > Hope this helps you a little, > > And sorry to hear that your system is compromised, hang on, take care, and > if we can > help... Sorry to hear it also. I assume, since you've been active on this list, your system was fully patched, up-to-date with all FreeBSD security notices? Any particular nonstandard ports or services running on this system? -- Clifton -- Clifton Royston -- cliftonr@tikitechnologies.com Tiki Technologies Lead Programmer/Software Architect Did you ever fly a kite in bed? Did you ever walk with ten cats on your head? Did you ever milk this kind of cow? Well we can do it. We know how. If you never did, you should. These things are fun, and fun is good. -- Dr. Seuss