From owner-freebsd-questions@FreeBSD.ORG Tue Aug 25 10:59:17 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7BBFF1065691 for ; Tue, 25 Aug 2009 10:59:17 +0000 (UTC) (envelope-from on@cs.ait.ac.th) Received: from mail.cs.ait.ac.th (mail.cs.ait.ac.th [192.41.170.16]) by mx1.freebsd.org (Postfix) with ESMTP id F2E658FC29 for ; Tue, 25 Aug 2009 10:59:16 +0000 (UTC) Received: from banyan.cs.ait.ac.th (banyan.cs.ait.ac.th [192.41.170.5]) by mail.cs.ait.ac.th (8.13.1/8.13.1) with ESMTP id n7PAwMg0019322 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 25 Aug 2009 17:58:22 +0700 (ICT) (envelope-from on@cs.ait.ac.th) Received: (from on@localhost) by banyan.cs.ait.ac.th (8.14.3/8.14.3/Submit) id n7PAxEFo010968; Tue, 25 Aug 2009 17:59:14 +0700 (ICT) (envelope-from on) Date: Tue, 25 Aug 2009 17:59:14 +0700 (ICT) Message-Id: <200908251059.n7PAxEFo010968@banyan.cs.ait.ac.th> From: Olivier Nicole To: cb@lim.nl In-reply-to: <25132123.post@talk.nabble.com> (message from Colin Brace on Tue, 25 Aug 2009 03:46:43 -0700 (PDT)) References: <4A924601.3000507@lim.nl> <200908240807.n7O87o3U092052@banyan.cs.ait.ac.th> <200908241026.55693.j.mckeown@ru.ac.za> <25130058.post@talk.nabble.com> <20090825091937.GA53416@cheddar.urgle.com> <25131646.post@talk.nabble.com> <200908251027.n7PARZBt009994@banyan.cs.ait.ac.th> <25132123.post@talk.nabble.com> X-Virus-Scanned: on CSIM by amavisd-milter (http://www.amavis.org/) Cc: freebsd-questions@freebsd.org Subject: Re: what www perl script is running? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Aug 2009 10:59:17 -0000 Colin, > I suppose this calls for a "bare-metal" reinstall. > Is it worth first trying to determine how my system was broken into? It really depends on: - what is installed on that machine (how long it would take to reinstall, how many softwares, ports, specially configured stuff). - how important is is that you keep the machine running (like the only web server generating all the revenue for your company vs. your home mail server that is being used for you and your household). If you can afford to take the system down for enough time to reinstall it from scratch, it is the best: you will know 100% that you did not forget some backdoor somewhere, you make install updated software, you may implement those fancy changes that you have always wanted to implement, but that you would not do because you were afraid of breaking a working server. In any case, it is a good exercise to try to find out how you were broken into: security hole in the OS or some port, hopefully an upgrade will close them, a security hole in some home made script? If you re-install that script on your new server without closing the holes, the new server will be vulnerable too, and soon compromised. It may also be good to dig from the log and try to find who has been reaching your infected server: it happened to me (third party software installed by an outside contractor), from the log I contacted all the people that I could locate upstream, about 5 to 10% of them where not aware that they had been infected too... Trying to understand how you get compromised is a good way to gain deeper knowledge about your system. Best regards, Olivier