From owner-freebsd-amd64@FreeBSD.ORG Tue Jun 28 12:37:45 2005 Return-Path: X-Original-To: freebsd-amd64@FreeBSD.ORG Delivered-To: freebsd-amd64@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C0CD16A41C for ; Tue, 28 Jun 2005 12:37:45 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 968E343D58 for ; Tue, 28 Jun 2005 12:37:44 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (qfmhmd@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.1/8.13.1) with ESMTP id j5SCbeD1018972; Tue, 28 Jun 2005 14:37:40 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.1/8.13.1/Submit) id j5SCbdto018971; Tue, 28 Jun 2005 14:37:39 +0200 (CEST) (envelope-from olli) Date: Tue, 28 Jun 2005 14:37:39 +0200 (CEST) Message-Id: <200506281237.j5SCbdto018971@lurza.secnetix.de> From: Oliver Fromme To: freebsd-amd64@FreeBSD.ORG, Oleg Rusanov In-Reply-To: <1525910592.20050627141014@molecon.ru> X-Newsgroups: list.freebsd-amd64 User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.11-RELEASE (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: Re: "sh -i" My server was hacked. How can i found hole on my server? X-BeenThere: freebsd-amd64@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting FreeBSD to the AMD64 platform List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jun 2005 12:37:45 -0000 Oleg Rusanov wrote: > My server was hacked. The CPU has been loaded on 99 % by "sh -i" process. > I found out that someone has started phpshell through a hole in one of phpbb fo > rums. > Also has filled in scripts for flud and spam and "vadim script" in > "/tmp". I has made it noexec. Recently has found out the same process. > May be i have left again /tmp opened, or other hole may be. > What is better to do for clean my system? If a machine has been hacked, the _only_ way to make sure that all holes and backdoors are gone is to newfs and re- install from CD-ROM or other know-to-be-clean media. Better yet, remove the harddisk and keep it for further forensic examinations. Install a new harddisk. After that, be sure to install the latest version of phpbb, which has the problem fixed. Run it inside a jail only. When restoring your backup, only restore user data, no executables. Keep your base system and ports up-to-date. Install portaudit. Subscribe to security mailing lists. There's much more to say, but the above is probably the most important. Best regards Oliver PS: When replying, please do so privately. This issue is not on-topic on the freebsd-amd64 list. -- Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea. It is hard to be sure where they are going to land, and it could be dangerous sitting under them as they fly overhead." -- RFC 1925