Date: Thu, 28 Aug 2003 12:16:44 -0400 From: "James" <admin@oxygenshell.com> To: "jahmon" <jahmon@jahmon.com>, <freeBSD-security@freebsd.org> Subject: Re: compromised server Message-ID: <049001c36d7f$c9e5ca60$6502a8c0@jim> References: <C779A76E-D965-11D7-A329-000393DED9F6@jahmon.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Jahmon,
In regards to your question I would check over your resolv.conf and
httpd.conf and check the /var/log/messages and various other logging
utilities. Also,
a.. Run only the services you plan on using.
b.. Use only the services that are necessary.
c.. Use secure passwords.
d.. Force users on your machine to use secure passwords.
e.. Restrict root access to a minimal set of services.
f.. Restrict access to these services via inetd and tcpwrappers.
g.. Restrict access to your box using IP Firewall services (ipfw).
h.. Log events on your machine and understand what logs are being kept.
i.. Install some type of system change detection software so that you can
tell if your server has been compromised.
j.. Back up your server's data so that if it is compromised you can
reinstall from scratch, but still have your data available.
k.. Finally, physical security is important. The more people who have
physical access to the machine, the less secure your server is.
when this is completed, run a sockstat command on the root prompt, This
will enable you to view various programs and ports being use. If you suspect
something that's not binded onto the proper port firewall it until you can
reinstall the program.
In anycase being hacked rootkits install various programs to setup setuid
programs and or utilities for sshd and other programs. In many cases for my
clients machines I would login and update all programs run cvsup and make
buildworld ; make installworld over again. (Don't forget sockstat) This will
enable you to see if there rootkit was enabling any remote open ports to
drop to root prompt.
Thank You,
James Thomas
Sr. Administrator
admin@oxygenshell.com
----- Original Message -----
From: "jahmon" <jahmon@jahmon.com>
To: <freeBSD-security@freebsd.org>
Sent: Thursday, August 28, 2003 10:41 AM
Subject: compromised server
> I have a server that has been compromised.
> I'm running version 4.6.2
> when I do
>
> >last
>
> this line comes up in the list.
> shutdown ~ Thu Aug 28 05:22
> That was the time the server went down.
> There seemed to be some configuration changes.
> Some of the files seemed to revert back to default versions
> (httpd.conf, resolv.conf)
>
> Does anyone have a clue what type of exploit they may have used?
> Is there anyway I can find out if there are any trojans installed?
>
> Thanks
>
> jahmon
>
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
"freebsd-security-unsubscribe@freebsd.org"
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?049001c36d7f$c9e5ca60$6502a8c0>