From owner-freebsd-questions  Mon Jan  4 18:01:29 1999
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id SAA11377
          for freebsd-questions-outgoing; Mon, 4 Jan 1999 18:01:29 -0800 (PST)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from gamma.aei.ca (gamma.aei.ca [206.123.6.10])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA11367
          for <freebsd-questions@FreeBSD.ORG>; Mon, 4 Jan 1999 18:01:27 -0800 (PST)
          (envelope-from malartre@aei.ca)
Received: from aei.ca (ppp-110-229.mtl.aei.ca [207.107.110.229])
	by gamma.aei.ca (8.8.5/8.8.5) with ESMTP id VAA25930;
	Mon, 4 Jan 1999 21:00:34 -0500 (EST)
Message-ID: <369171F0.262944AF@aei.ca>
Date: Mon, 04 Jan 1999 20:59:12 -0500
From: Malartre <malartre@aei.ca>
X-Mailer: Mozilla 4.5 [en] (X11; I; FreeBSD 2.2.8-STABLE i386)
X-Accept-Language: fr, en
MIME-Version: 1.0
To: Mike Alich <hostmaster@cctinc.net>
CC: freebsd-questions@FreeBSD.ORG
Subject: Re: HACKED & SECURITY
References: <36916425.10286B80@cctinc.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Mike Alich wrote:
> 
> I am hoping you can help me...
> 
> My server got hacked and there was no evidence in the root .history file
> of there actions.  I believe they have a backdoor program on the server
> they run.
> 
> I have disabled all shell login except myself.
> The only inetd running is FTP and qpopper mail server.
> 
> I only use ssh for server access
> 
> And I have done binary file restores from the live file system cd to the
> following:
> /bin
> /sbin
> /usr/bin
> /usr/sbin
> /usr/libexec
> 
> Is there any other file areas (binaries) I need to restore?
> 
> I have run diff's on all of the above files and they are good.
> 
> Also do you have any ideas of how they got in.  I believe they have been
> in for a while now.
> 
> I really cant do a full re-install because there is too much custom work
> on the server.
> 
> Any suggestions would be appreciated.
> 
> Thanks in advanced!
> --
> Mike Alich
> mike@cctinc.net
> Cyber Communication Technologies, Inc.
> Web Hosting and Internet Solutions.
> http://www.cctinc.net
> Virtual Web Hosting $14.95 per month
Please send a:
$ uname -a

You didn't mention what version of FreeBSD.
I'm not an expert, but I think Qpopper has a major security problem some
week/month ago. You should upgrade to the latest version.
-- 
[Malartre][malartre@aei.ca][http://www.aei.ca/~malartre/]
[LowRent.Org is down...]

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message