Date: Wed, 24 Jul 2002 21:11:35 -0600 (CST) From: Ryan Thompson <ryan@sasknow.com> To: sagacious <sagacious@unixhideout.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: heh Message-ID: <20020724210254.S92334-100000@ren.sasknow.com> In-Reply-To: <000601c2336b$aea3e8d0$0a01a8c0@MIKESBOX>
next in thread | previous in thread | raw e-mail | index | archive | help
sagacious wrote to freebsd-questions@FreeBSD.ORG: > There is a file in my website root called ?* > I knew I didn't make the file so I made a test directory called foo > went into it and touched some quick files and directories. I typed > rm ?* and sure as I thought it deleted all the test files. Good test. :-) rm \?\* > Someone really has it out for me lately. Ha! > I think my box has been compromised and im not sure where to start. Unplug it from the network, start analysing logs and your filesystems (or back up this data to analyse later, if the box is critical to operations). Perform a complete OS re-install and restore data from a known good back-up. If you perform regular backups, and document your system configuration, this should not be a terribly daunting task, even for a moderate configuration. If you have made several backups since the break-in occurred, you have more work ahead of you. Do *not* risk restoring harmful data and re-introducing the exploit. > They got in via that god damn sshd exploit so I closed the port in > my router. How do I remove this file without messing up my box. OK. Even if you know how they got in, and successfully plugged the hole, assume that your box is still compromised. The first thing that most root kits do is install other backdoors... as they expect you to find the original hole and close it quickly. Thus the advice to rebuild your filesystems and start over. > sagacious (Mike) > Network administrator > The unixhideout network > http://www.unixhideout.com -- Ryan Thompson <ryan@sasknow.com> SaskNow Technologies - http://www.sasknow.com 901 1st Avenue North - Saskatoon, SK - S7K 1Y4 Tel: 306-664-3600 Fax: 306-244-7037 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020724210254.S92334-100000>