From owner-freebsd-questions Wed Jul 24 20:18:26 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1937B37B400 for ; Wed, 24 Jul 2002 20:18:22 -0700 (PDT) Received: from labs.unixhideout.com (dsl-65-187-193-189.telocity.com [65.187.193.189]) by mx1.FreeBSD.org (Postfix) with ESMTP id 25B0743E42 for ; Wed, 24 Jul 2002 20:18:21 -0700 (PDT) (envelope-from sagacious@unixhideout.com) Received: from MIKESBOX ([192.168.1.10]) by labs.unixhideout.com (8.12.5/8.12.3) with ESMTP id g6P3INX2078418 for ; Wed, 24 Jul 2002 23:18:23 -0400 (EDT) (envelope-from sagacious@unixhideout.com) From: "sagacious" To: Subject: RE: owned. Date: Wed, 24 Jul 2002 23:18:20 -0400 Message-ID: <000701c23389$ed841e30$0a01a8c0@MIKESBOX> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 In-Reply-To: <20020724210254.S92334-100000@ren.sasknow.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Yes I backup all the time. I have all of my stuff copied into some hidden directories. Like www in case even I make a mistake. I rm -rf www and cp the old one. I update that backup whenever I do significant work.I also got a freebsd box using cvsup which updates home and www etc all the major file systems and critical files. It does this automatically, I stuck it in daily.local. finally, about once a month I zip the entire sup folder on the backup machine zip them in 650 meg files and copy that to cdr. So im good. I'm not about to reinstall this box though. That's why I want to use this script this guy scrapped up for me. So I can see movement. If I do I will use your daunting solution. Its not so bad reinstalling, but I got all my stuff installed and configged etc. You know the drill. ;) sagacious (Mike) Network administrator The unixhideout network http://www.unixhideout.com -----Original Message----- From: Ryan Thompson [mailto:ryan@sasknow.com] Sent: Wednesday, July 24, 2002 11:12 PM To: sagacious Cc: freebsd-questions@FreeBSD.ORG Subject: Re: heh sagacious wrote to freebsd-questions@FreeBSD.ORG: > There is a file in my website root called ?* > I knew I didn't make the file so I made a test directory called foo > went into it and touched some quick files and directories. I typed > rm ?* and sure as I thought it deleted all the test files. Good test. :-) rm \?\* > Someone really has it out for me lately. Ha! > I think my box has been compromised and im not sure where to start. Unplug it from the network, start analysing logs and your filesystems (or back up this data to analyse later, if the box is critical to operations). Perform a complete OS re-install and restore data from a known good back-up. If you perform regular backups, and document your system configuration, this should not be a terribly daunting task, even for a moderate configuration. If you have made several backups since the break-in occurred, you have more work ahead of you. Do *not* risk restoring harmful data and re-introducing the exploit. > They got in via that god damn sshd exploit so I closed the port in > my router. How do I remove this file without messing up my box. OK. Even if you know how they got in, and successfully plugged the hole, assume that your box is still compromised. The first thing that most root kits do is install other backdoors... as they expect you to find the original hole and close it quickly. Thus the advice to rebuild your filesystems and start over. > sagacious (Mike) > Network administrator > The unixhideout network > http://www.unixhideout.com -- Ryan Thompson SaskNow Technologies - http://www.sasknow.com 901 1st Avenue North - Saskatoon, SK - S7K 1Y4 Tel: 306-664-3600 Fax: 306-244-7037 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message