From owner-freebsd-security@FreeBSD.ORG  Thu Aug 28 08:22:44 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 37D2816A4BF
	for <freeBSD-security@freebsd.org>;
	Thu, 28 Aug 2003 08:22:44 -0700 (PDT)
Received: from pol.dyndns.org (pol.net1.nerim.net [80.65.225.93])
	by mx1.FreeBSD.org (Postfix) with ESMTP id AD7D443FDF
	for <freeBSD-security@freebsd.org>;
	Thu, 28 Aug 2003 08:22:42 -0700 (PDT)
	(envelope-from guy@device.dyndns.org)
Received: from oemcomputer.device.dyndns.org (partserver.pol.local
	[172.16.10.10])
	by pol.dyndns.org (8.12.9/8.12.6) with ESMTP id h7SFMb2l001037
	for <freeBSD-security@freebsd.org>;
	Thu, 28 Aug 2003 17:22:40 +0200 (CEST)
Message-Id: <5.2.1.1.0.20030828171237.02796a00@device.dyndns.org>
X-Sender: guy@device.dyndns.org
X-Mailer: QUALCOMM Windows Eudora Version 5.2.1
Date: Thu, 28 Aug 2003 17:22:25 +0200
To: freeBSD-security@freebsd.org
From: "Guy P." <guy@device.dyndns.org>
In-Reply-To: <C779A76E-D965-11D7-A329-000393DED9F6@jahmon.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Subject: Re: compromised server
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Aug 2003 15:22:44 -0000

At 16:41 28/08/2003, jahmon wrote:
>I have a server that has been compromised.
>I'm running version 4.6.2
>when I do
>
> >last
>
>this line comes up in the list.
>shutdown         ~                         Thu Aug 28 05:22
>That was the time the server went down.
>There seemed to be some configuration changes.
>Some of the files seemed to revert back to default versions
>(httpd.conf, resolv.conf)
>
>Does anyone have a clue what type of exploit they may have used?
>Is there anyway I can find out if there are any trojans installed?
>
>Thanks
>
>jahmon

Usual process is to shut down the computer ASAP, never boot again from its 
current disk till it's wiped out / or you retrieved all the information you 
wanted.
Instead, boot of a CD (live filesystem if you got it, but install cd could 
do too) and get sure to mount your (compromised) disk(s) readonly, without 
running anything executable out of it.

Then proceed to investigation. First step would be chkrootkit (thu part of 
its tests require you to run it "live" on the suspicious system). Also 
spend some time reading the various /var/log files (but don't rely on their 
integrity). If you have an aide or tripwire "image" of your system 
somewhere, time to put it to use.

For more ideas you could read for instance the archives of honeynet 
challenges ( http://project.honeynet.org/misc/chall.html ).

gd'luk

--
         Guy