Date: Mon, 8 Apr 2002 16:08:35 -0500 (CDT) From: Nick Rogness <nick@rogness.net> To: Todd Reed <ex279@hotmail.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Recovering from a Hack Message-ID: <Pine.BSF.4.21.0204081557230.24265-100000@cody.jharris.com> In-Reply-To: <F574koO7bhXfT433nD000005794@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 8 Apr 2002, Todd Reed wrote: > I got hit last week by someone/something that has turned my BSDbox > into a DDOS attacker (I think). Every two or three days I have to > reboot because it starts flooding the network. Once I reboot it, it > ges back to working "normal". This is a temp fix for me until I can > rebuild it in the next few days, but I was wondering if some of you > people could offer some personal advice on building a more secure box. > I know the basics (shutdown all unnecessary ports, etc), but what are > some issues or tricks that you have used to make it more secure. I > would like to get enough responses and compile a list to post on > www.freebsddiary.org. > > Also, if the events were to take place that your box was hacked and > the intruder turned it into a DDoS attacker, what would you look at to > kill the program? Results from a PS command look normal, but they > could have changed the PS file. - look for unusual accounts (in the password file) - look for root kits - look for set-uid programs - look at what ports your machine is listening on - look for unusual files made after a certain date - Go through the weekly security reports mailed to root - Complete reinstall is needed (to be safe). Nick Rogness <nick@rogness.net> - Don't mind me...I'm just sniffing your packets To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0204081557230.24265-100000>