From owner-freebsd-hackers@FreeBSD.ORG Sat Jan 14 06:02:40 2006 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7289F16A41F for ; Sat, 14 Jan 2006 06:02:40 +0000 (GMT) (envelope-from doconnor@gsoft.com.au) Received: from cain.gsoft.com.au (cain.gsoft.com.au [203.31.81.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id ACBDF43D46 for ; Sat, 14 Jan 2006 06:02:36 +0000 (GMT) (envelope-from doconnor@gsoft.com.au) Received: from inchoate.gsoft.com.au (ppp209-190.lns1.adl2.internode.on.net [203.122.209.190]) (authenticated bits=0) by cain.gsoft.com.au (8.13.5/8.13.4) with ESMTP id k0E62Vew027583 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Sat, 14 Jan 2006 16:32:31 +1030 (CST) (envelope-from doconnor@gsoft.com.au) From: "Daniel O'Connor" To: freebsd-hackers@freebsd.org, anchor Date: Sat, 14 Jan 2006 16:32:28 +1030 User-Agent: KMail/1.8.3 References: <2374502.post@talk.nabble.com> In-Reply-To: <2374502.post@talk.nabble.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1396418.se7W9MObOf"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200601141632.29709.doconnor@gsoft.com.au> X-Spam-Score: 0 () X-Scanned-By: MIMEDefang 2.54 on 203.31.81.10 Cc: Subject: Re: My machine been hacked, I need help X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jan 2006 06:02:40 -0000 --nextPart1396418.se7W9MObOf Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sat, 14 Jan 2006 14:35, anchor (sent by Nabble.com) wrote: > My machine been hacked. The message file was modified. Old dated backup > files are deleted. The last log was truncated. You are gurus. Would you > please tell me where I can find out other trace file or logfiles to figu= re > out where the hacker come from? 1) Turn it off 2) Put a new hard disk in it and install FreeBSD freshly on the new disk 3) Mount the old disk read only and recover all the data you can (no =20 executables) 4) Do forensics on the old disk, and/or back it up to tape. 5) Nuke the contents of the old disk. Basically it is really hard to trust any code run from the old disk althoug= h=20 as someone suggested DDB is most likely to be OK, but you never know :) =2D-=20 Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C --nextPart1396418.se7W9MObOf Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDyJP15ZPcIHs/zowRAvNvAJ9Zz+zjo95LhtvBxxLN7H1yTJbGuACfXZ+T hX6pyeGcUrTsP05bLY0EXQc= =/+hf -----END PGP SIGNATURE----- --nextPart1396418.se7W9MObOf--