From owner-freebsd-questions Mon Apr 8 13:27:52 2002 Delivered-To: freebsd-questions@freebsd.org Received: from marvin.1729.net (1729.xs4all.nl [213.84.67.6]) by hub.freebsd.org (Postfix) with ESMTP id 83C9637B41A for ; Mon, 8 Apr 2002 13:27:26 -0700 (PDT) Received: from arnold (arnold.lan [192.168.1.8]) by marvin.1729.net (8.9.3/8.9.3/SuSE Linux 8.9.3-0.1) with SMTP id WAA00395; Mon, 8 Apr 2002 22:45:49 +0200 Message-ID: <009d01c1df3b$c9c240a0$0801a8c0@lan.1729.net> From: "Ruben de Groot" To: "Todd Reed" , References: Subject: Re: Recovering from a Hack Date: Mon, 8 Apr 2002 22:27:21 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG "Todd Reed" wrote: > I got hit last week by someone/something that has turned my BSDbox into a > DDOS attacker (I think). Every two or three days I have to reboot because > it starts flooding the network. Once I reboot it, it ges back to working > "normal". This is a temp fix for me until I can rebuild it in the next few > days, but I was wondering if some of you people could offer some personal > advice on building a more secure box. I know the basics (shutdown all > unnecessary ports, etc), but what are some issues or tricks that you have > used to make it more secure. I would like to get enough responses and > compile a list to post on www.freebsddiary.org. > > Also, if the events were to take place that your box was hacked and the > intruder turned it into a DDoS attacker, what would you look at to kill the > program? Results from a PS command look normal, but they could have changed > the PS file. You can only be sure if you reinstall. But beforehand you might want to gather some information. Check your logfiles for possible clues or gaps. Monitor network traffic from another machine. You could try chkrootkit from the ports tree. It's capable of exposing some common rootkits used by "script kiddies". If you're dealing with the more sophisticated cracker you're probably out of luck, but they are a minority. > > --Todd > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message