From owner-freebsd-questions Wed Jul 24 20:11:42 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9BA5B37B400 for ; Wed, 24 Jul 2002 20:11:38 -0700 (PDT) Received: from ren.sasknow.com (ren.sasknow.com [207.195.92.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id B575443E67 for ; Wed, 24 Jul 2002 20:11:37 -0700 (PDT) (envelope-from ryan@sasknow.com) Received: from localhost (ryan@localhost) by ren.sasknow.com (8.11.6/8.11.6) with ESMTP id g6P3Bah96125; Wed, 24 Jul 2002 21:11:36 -0600 (CST) (envelope-from ryan@sasknow.com) Date: Wed, 24 Jul 2002 21:11:35 -0600 (CST) From: Ryan Thompson To: sagacious Cc: freebsd-questions@FreeBSD.ORG Subject: Re: heh In-Reply-To: <000601c2336b$aea3e8d0$0a01a8c0@MIKESBOX> Message-ID: <20020724210254.S92334-100000@ren.sasknow.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG sagacious wrote to freebsd-questions@FreeBSD.ORG: > There is a file in my website root called ?* > I knew I didn't make the file so I made a test directory called foo > went into it and touched some quick files and directories. I typed > rm ?* and sure as I thought it deleted all the test files. Good test. :-) rm \?\* > Someone really has it out for me lately. Ha! > I think my box has been compromised and im not sure where to start. Unplug it from the network, start analysing logs and your filesystems (or back up this data to analyse later, if the box is critical to operations). Perform a complete OS re-install and restore data from a known good back-up. If you perform regular backups, and document your system configuration, this should not be a terribly daunting task, even for a moderate configuration. If you have made several backups since the break-in occurred, you have more work ahead of you. Do *not* risk restoring harmful data and re-introducing the exploit. > They got in via that god damn sshd exploit so I closed the port in > my router. How do I remove this file without messing up my box. OK. Even if you know how they got in, and successfully plugged the hole, assume that your box is still compromised. The first thing that most root kits do is install other backdoors... as they expect you to find the original hole and close it quickly. Thus the advice to rebuild your filesystems and start over. > sagacious (Mike) > Network administrator > The unixhideout network > http://www.unixhideout.com -- Ryan Thompson SaskNow Technologies - http://www.sasknow.com 901 1st Avenue North - Saskatoon, SK - S7K 1Y4 Tel: 306-664-3600 Fax: 306-244-7037 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message