Date: Tue, 28 Jun 2005 14:37:39 +0200 (CEST) From: Oliver Fromme <olli@lurza.secnetix.de> To: freebsd-amd64@FreeBSD.ORG, Oleg Rusanov <freebsd-amd64@molecon.ru> Subject: Re: "sh -i" My server was hacked. How can i found hole on my server? Message-ID: <200506281237.j5SCbdto018971@lurza.secnetix.de> In-Reply-To: <1525910592.20050627141014@molecon.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Oleg Rusanov <freebsd-amd64@molecon.ru> wrote: > My server was hacked. The CPU has been loaded on 99 % by "sh -i" process. > I found out that someone has started phpshell through a hole in one of phpbb fo > rums. > Also has filled in scripts for flud and spam and "vadim script" in > "/tmp". I has made it noexec. Recently has found out the same process. > May be i have left again /tmp opened, or other hole may be. > What is better to do for clean my system? If a machine has been hacked, the _only_ way to make sure that all holes and backdoors are gone is to newfs and re- install from CD-ROM or other know-to-be-clean media. Better yet, remove the harddisk and keep it for further forensic examinations. Install a new harddisk. After that, be sure to install the latest version of phpbb, which has the problem fixed. Run it inside a jail only. When restoring your backup, only restore user data, no executables. Keep your base system and ports up-to-date. Install portaudit. Subscribe to security mailing lists. There's much more to say, but the above is probably the most important. Best regards Oliver PS: When replying, please do so privately. This issue is not on-topic on the freebsd-amd64 list. -- Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea. It is hard to be sure where they are going to land, and it could be dangerous sitting under them as they fly overhead." -- RFC 1925
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200506281237.j5SCbdto018971>