Date: Sat, 14 Jan 2006 16:32:28 +1030 From: "Daniel O'Connor" <doconnor@gsoft.com.au> To: freebsd-hackers@freebsd.org, anchor <jacquejiang@hotmail.com> Subject: Re: My machine been hacked, I need help Message-ID: <200601141632.29709.doconnor@gsoft.com.au> In-Reply-To: <2374502.post@talk.nabble.com> References: <2374502.post@talk.nabble.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Sat, 14 Jan 2006 14:35, anchor (sent by Nabble.com) wrote: > My machine been hacked. The message file was modified. Old dated backup > files are deleted. The last log was truncated. You are gurus. Would you > please tell me where I can find out other trace file or logfiles to figure > out where the hacker come from? 1) Turn it off 2) Put a new hard disk in it and install FreeBSD freshly on the new disk 3) Mount the old disk read only and recover all the data you can (no executables) 4) Do forensics on the old disk, and/or back it up to tape. 5) Nuke the contents of the old disk. Basically it is really hard to trust any code run from the old disk although as someone suggested DDB is most likely to be OK, but you never know :) -- Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDyJP15ZPcIHs/zowRAvNvAJ9Zz+zjo95LhtvBxxLN7H1yTJbGuACfXZ+T hX6pyeGcUrTsP05bLY0EXQc= =/+hf -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200601141632.29709.doconnor>