From owner-freebsd-isp  Sun Nov 25  7:18:13 2001
Delivered-To: freebsd-isp@freebsd.org
Received: from wildcatblue.com (flanders.wildcatblue.com [206.157.147.206])
	by hub.freebsd.org (Postfix) with ESMTP id 039FB37B417
	for <freebsd-isp@FreeBSD.ORG>; Sun, 25 Nov 2001 07:18:09 -0800 (PST)
Received: from vghker (unknown [206.157.147.77])
	by wildcatblue.com (Postfix) with SMTP
	id 0ABF885B28; Sun, 25 Nov 2001 10:38:33 +0000 (GMT)
Message-ID: <000b01c175c4$534364d0$4d939dce@vghker>
From: "David Rhodus" <sdrhodus@wildcatblue.com>
To: <billak@fox56.tv>
Cc: <freebsd-isp@FreeBSD.ORG>
References: <Pine.LNX.4.33.0111251533340.16543-100000@sanyu1.sanyutel.com>
Subject: Re: Attack on server, need help ASAP
Date: Sun, 25 Nov 2001 10:17:40 -0500
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-isp.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-isp>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-isp>
X-Loop: FreeBSD.org

First thing thing you want to look is 'ps auxgw' and see if there is
anything running that you don't know about.
Next make sure you have lsof installed then run, 'lsof | grep LISTEN'  and
see what all taking connections
If then you still don't see anything out of order try doing a cvsup.
If it is a machine that you can take offline for a bit, i would and do a
fresh install

Hope that helps.

Thanks,

David Rhodus

----- Original Message -----
From: <ksemat@wawa.eahd.or.ug>
To: "Bill A. K." <billak@fox56.tv>
Cc: <freebsd-isp@FreeBSD.ORG>
Sent: Sunday, November 25, 2001 7:35 AM
Subject: Re: Attack on server, need help ASAP


>
>
> On Sat, 24 Nov 2001, Bill A. K. wrote:
>
> > My server was just attacked.........someone tried logging in telnet, and
apparently shut down the telnet daemon from trying (over 400
times)....theres NOTHING in the logs, the ips were on the screen, but stupid
me started typing stuff and now they're gone. Is there a way to get back
what was on the screen, like a history of stdout? Please, someone help,
asap, I would really appreciate it.
>
> Not  a solution to your problem but I may as well ask:
>
> 1.Why are you running telnet when there is ssh?
> 2. Is your Freebsd machine patched against the telnetd exploit which was
> relased some months ago? if nto start looking for signs of intrusion and
> thhink of a reinstall.
>
> 3. Do a cvsup to the latest release or stable version of freeBSD.
>
> Noah.
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-isp" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message