From owner-freebsd-security@FreeBSD.ORG  Mon Jun 27 14:02:24 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1BCCD16A41C
	for <freebsd-security@freebsd.org>;
	Mon, 27 Jun 2005 14:02:24 +0000 (GMT)
	(envelope-from marko.lerota@optima-telekom.hr)
Received: from redcloud.optima-telekom.hr (surf212.optima-telekom.hr
	[85.114.34.212]) by mx1.FreeBSD.org (Postfix) with SMTP id 63CAC43D53
	for <freebsd-security@freebsd.org>;
	Mon, 27 Jun 2005 14:02:23 +0000 (GMT)
	(envelope-from marko.lerota@optima-telekom.hr)
Received: (qmail 39890 invoked by uid 1001); 27 Jun 2005 14:02:45 -0000
To: freebsd-security <freebsd-security@freebsd.org>
Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAJFBMVEWgnbRLVpRNVY9jMRPh
	s21jSlEyNVX45Mv4zI+sbUclFAtMVpT8V0lFAAACZ0lEQVR4nG3Tv2vbQBQHcFMogWyeNeVK
	BLXGl5j6xnABOaNTuXFGmWpwtw519yj4soW6AatT4GKD3+aDZrl/rt/Tr9qlGiz7Pn7v3bsf
	HVc/NrIiSfElqH53GgijcCqzk/+AmBF5cN0DsFlIRGMh/oHuqxkTM6VlzB4EoZEs2aSZOASb
	EQJYZpweQshE697GTDndBXtgp9LIT9+OpDGHEfb9knk+nx+jfN1JCVZMCl6XwFm0a2EXztZD
	3s4fj47ZbKI2VeBmJImeEfGLJ+M9sDPilX7IB5rN6sdfcGhuoHU+LC4nxfnI7YOJtdb95Gb+
	fbgJ2uJ2ZgaA++f5ZzBqNCCYfMTd5q0BfBVNqm7I8gUjQ+YtXotRW6PH9AEj+dKs/KuNQAl5
	o/NY+QkonW8aQAl0oXMYPvRiXIM4pRJifbXytnhTA8alBx/jefG2ar3DBlt34/PXz9M+nMVN
	iNaPUdCApJc2ItejOmLGoK1qQLV9pJmXBnL10DYoBA5aHNfj8ZNwZa5O4CzgTJeilKJmrQJs
	IHIt1/7/Sg2p3iq/Hz0/5W05rq4M9aN2B5FLohUP4ylVyfxhEIjAs8J4PhIJ9U+CEroogib5
	BXAf7bB4vkfAzgPFt1tM9sJZAOH+lCexhwswuNtim4QTZdokqo4o89LkH7V6iFxICeqfp+Wh
	fmUuGPunLj2Meti6Cn4DjJ/UReROqR+aqawAi/JkfgKE64rrfkhjU8MtT8ivR4S5n6Yo08A7
	HvgAlHDWRSGlNSDxwK9HtXy4FS2I60EdUIJM+Ut9OZNJG4CpbEQW1VBQoQoPuBw2EVa4P0u0
	TgzQF+VoAAAAAElFTkSuQmCC
In-Reply-To: <1344959974.20050627142110@molecon.ru> (Oleg Rusanov's message
	of "Mon, 27 Jun 2005 14:21:10 +0400")
References: <1344959974.20050627142110@molecon.ru>
Organization: Unix Users - Fanatics Dept.
X-Request-PGP: <http://ds.carnet.hr:11371/pks/lookup?op=get&search=0x8DA6D56D17E52A51>
X-GNUPG-Fingerprint: CF5E 6862 2777 A471 5D2E  0015 8DA6 D56D 17E5 2A51
From: Marko Lerota <mlerota@iskon.hr>
Date: Mon, 27 Jun 2005 16:02:45 +0200
Message-ID: <86wtof3nju.fsf@redcloud.local>
User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.17 (Jumbo Shrimp,
	berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Subject: Re: "sh -i" My server was hacked. How can i found hole on my server?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jun 2005 14:02:24 -0000

Oleg Rusanov <freebsd-security@molecon.ru> writes:

> Hello.
>
> My server was hacked. The CPU has been loaded on 99 % by "sh -i" process.
>  I found out that someone has started phpshell through a hole in one of phpbb forums.
>   Also has filled in scripts for flud and spam and "vadim script" in
>   "/tmp". I has made it noexec. Recently has found out the same process.
>    May be i have left again /tmp opened, or other hole may be.
>      What is better to do for clean my system?

> How can i found hole on my server?

Before formating try the rkhunter and nessus

-- 
One cannot sell the earth upon which the people walk
                               			Tacunka Witco