From owner-freebsd-questions  Mon Apr  8 12:12:46 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from hotmail.com (f57.law10.hotmail.com [64.4.15.57])
	by hub.freebsd.org (Postfix) with ESMTP id 4464F37B417
	for <freebsd-questions@FreeBSD.ORG>; Mon,  8 Apr 2002 12:12:41 -0700 (PDT)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
	 Mon, 8 Apr 2002 12:12:41 -0700
Received: from 65.64.1.180 by lw10fd.law10.hotmail.msn.com with HTTP;
	Mon, 08 Apr 2002 19:12:40 GMT
X-Originating-IP: [65.64.1.180]
From: "Todd Reed" <ex279@hotmail.com>
To: freebsd-questions@FreeBSD.ORG
Subject: Recovering from a Hack 
Date: Mon, 08 Apr 2002 14:12:40 -0500
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <F574koO7bhXfT433nD000005794@hotmail.com>
X-OriginalArrivalTime: 08 Apr 2002 19:12:41.0065 (UTC) FILETIME=[5AAB4590:01C1DF31]
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

I got hit last week by someone/something that has turned my BSDbox into a 
DDOS attacker (I think).  Every two or three days I have to reboot because 
it starts flooding the network.  Once I reboot it, it ges back to working 
"normal".  This is a temp fix for me until I can rebuild it in the next few 
days, but I was wondering if some of you people could offer some personal 
advice on building a more secure box.  I know the basics (shutdown all 
unnecessary ports, etc), but what are some issues or tricks that you have 
used to make it more secure.  I would like to get enough responses and 
compile a list to post on www.freebsddiary.org.

Also, if the events were to take place that your box was hacked and the 
intruder turned it into a DDoS attacker, what would you look at to kill the 
program?  Results from a PS command look normal, but they could have changed 
the PS file.

--Todd

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message