From owner-freebsd-questions  Mon Apr  8 14: 1: 4 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from cody.jharris.com (cody.jharris.com [205.238.128.83])
	by hub.freebsd.org (Postfix) with ESMTP id E023637B419
	for <freebsd-questions@FreeBSD.ORG>; Mon,  8 Apr 2002 14:00:59 -0700 (PDT)
Received: from localhost (nick@localhost)
	by cody.jharris.com (8.11.1/8.9.3) with ESMTP id g38L8ZI27108;
	Mon, 8 Apr 2002 16:08:35 -0500 (CDT)
	(envelope-from nick@rogness.net)
Date: Mon, 8 Apr 2002 16:08:35 -0500 (CDT)
From: Nick Rogness <nick@rogness.net>
X-Sender: nick@cody.jharris.com
To: Todd Reed <ex279@hotmail.com>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: Recovering from a Hack 
In-Reply-To: <F574koO7bhXfT433nD000005794@hotmail.com>
Message-ID: <Pine.BSF.4.21.0204081557230.24265-100000@cody.jharris.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Mon, 8 Apr 2002, Todd Reed wrote:

> I got hit last week by someone/something that has turned my BSDbox
> into a DDOS attacker (I think).  Every two or three days I have to
> reboot because it starts flooding the network.  Once I reboot it, it
> ges back to working "normal".  This is a temp fix for me until I can
> rebuild it in the next few days, but I was wondering if some of you
> people could offer some personal advice on building a more secure box.  
> I know the basics (shutdown all unnecessary ports, etc), but what are
> some issues or tricks that you have used to make it more secure.  I
> would like to get enough responses and compile a list to post on
> www.freebsddiary.org.
> 
> Also, if the events were to take place that your box was hacked and
> the intruder turned it into a DDoS attacker, what would you look at to
> kill the program?  Results from a PS command look normal, but they
> could have changed the PS file.

	- look for unusual accounts (in the password file)
	- look for root kits
	- look for set-uid programs
	- look at what ports your machine is listening on
	- look for unusual files made after a certain date
	- Go through the weekly security reports mailed to root
	- Complete reinstall is needed (to be safe).


Nick Rogness <nick@rogness.net>
 - Don't mind me...I'm just sniffing your packets





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message