From owner-freebsd-security@FreeBSD.ORG Thu Aug 28 07:42:04 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B538B16A4BF for ; Thu, 28 Aug 2003 07:42:04 -0700 (PDT) Received: from server05.the-beach.net (ip096-019.the-beach.net [12.43.96.19]) by mx1.FreeBSD.org (Postfix) with SMTP id A4C8A43FE9 for ; Thu, 28 Aug 2003 07:42:03 -0700 (PDT) (envelope-from jahmon@jahmon.com) Received: (qmail 15344 invoked from network); 28 Aug 2003 14:41:37 -0000 Received: from unknown (HELO jahmon.com) (216.189.180.93) by ip096-019.the-beach.net with SMTP; 28 Aug 2003 14:41:37 -0000 Date: Thu, 28 Aug 2003 10:41:59 -0400 Mime-Version: 1.0 (Apple Message framework v552) Content-Type: text/plain; charset=US-ASCII; format=flowed From: jahmon To: freeBSD-security@freebsd.org Content-Transfer-Encoding: 7bit Message-Id: X-Mailer: Apple Mail (2.552) Subject: compromised server X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Aug 2003 14:42:04 -0000 I have a server that has been compromised. I'm running version 4.6.2 when I do >last this line comes up in the list. shutdown ~ Thu Aug 28 05:22 That was the time the server went down. There seemed to be some configuration changes. Some of the files seemed to revert back to default versions (httpd.conf, resolv.conf) Does anyone have a clue what type of exploit they may have used? Is there anyway I can find out if there are any trojans installed? Thanks jahmon