From owner-freebsd-security@FreeBSD.ORG Thu Aug 28 09:15:39 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C3E016A4BF for ; Thu, 28 Aug 2003 09:15:39 -0700 (PDT) Received: from amsfep12-int.chello.nl (amsfep12-int.chello.nl [213.46.243.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 247ED43FE3 for ; Thu, 28 Aug 2003 09:15:36 -0700 (PDT) (envelope-from dodell@sitetronics.com) Received: from sitetronics.com ([213.46.142.207]) by amsfep12-int.chello.nl ESMTP <20030828161534.MRWD26845.amsfep12-int.chello.nl@sitetronics.com>; Thu, 28 Aug 2003 18:15:34 +0200 Message-ID: <3F4E2A84.4050007@sitetronics.com> Date: Thu, 28 Aug 2003 18:15:00 +0200 From: "Devon H. O'Dell" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030820 X-Accept-Language: en-us, en MIME-Version: 1.0 To: jahmon , freebsd-security@freebsd.org References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: compromised server X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Aug 2003 16:15:39 -0000 Heh, I forgot to send this to the group... so here it is. To check for suid and sgid programs, run the following command: |find / -type f \(-perm -04000 -o -perm -02000 \) Hope this helps. --Devon | jahmon wrote: > Devon, > > checked the /var/log - nothing strange found > ran chkrootkit - nothing found > checked user accounts - no new accounts found > > how do I check for suid permissions. > > Thanks, > > jahmon > On Thursday, Aug 28, 2003, at 10:55 US/Eastern, Devon H. O'Dell wrote: > >> You will want to read everything in /var/log, run chkrootkit, check >> out .history files, look for new user accounts, look for files with >> suid permissions and other similar stuff. I don't know of a site that >> really says what exactly to do. If someone knows such a reference, >> it'd be highly useful. Otherwise, is anybody willing to write one >> (I'd be willing to contribute). >> >> One good thing may be to search for computer forensics on Google; >> specifically for comprimised servers. Combining those and other words >> may give you varying levels of success, I think. >> >> --Devon >> >> jahmon wrote: >> >>> I have a server that has been compromised. >>> I'm running version 4.6.2 >>> when I do >>> >>> >last >>> >>> this line comes up in the list. >>> shutdown ~ Thu Aug 28 05:22 >>> That was the time the server went down. >>> There seemed to be some configuration changes. >>> Some of the files seemed to revert back to default versions >>> (httpd.conf, resolv.conf) >>> >>> Does anyone have a clue what type of exploit they may have used? >>> Is there anyway I can find out if there are any trojans installed? >>> >>> Thanks >>> >>> jahmon >>> >>> _______________________________________________ >>> freebsd-security@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-security >>> To unsubscribe, send any mail to >>> "freebsd-security-unsubscribe@freebsd.org" >>> >>> >> > > >