From owner-freebsd-security@FreeBSD.ORG  Thu Aug 28 09:45:26 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 72E2316A4BF
	for <freebsd-security@freebsd.org>;
	Thu, 28 Aug 2003 09:45:26 -0700 (PDT)
Received: from web10105.mail.yahoo.com (web10105.mail.yahoo.com
	[216.136.130.55])
	by mx1.FreeBSD.org (Postfix) with SMTP id 2DC4943FAF
	for <freebsd-security@freebsd.org>;
	Thu, 28 Aug 2003 09:45:25 -0700 (PDT)
	(envelope-from twigles@yahoo.com)
Message-ID: <20030828164524.7275.qmail@web10105.mail.yahoo.com>
Received: from [68.5.49.41] by web10105.mail.yahoo.com via HTTP;
	Thu, 28 Aug 2003 09:45:24 PDT
Date: Thu, 28 Aug 2003 09:45:24 -0700 (PDT)
From: twig les <twigles@yahoo.com>
To: "Devon H. O'Dell" <dodell@sitetronics.com>,
	jahmon <jahmon@jahmon.com>, freebsd-security@freebsd.org
In-Reply-To: <3F4E2A84.4050007@sitetronics.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Subject: Re: compromised server
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Aug 2003 16:45:26 -0000

No one will be able to even guess how they got in without
knowing what you are running on the box (IIS, MSSql, etc.
[hahah, jk]).  Although this may be belated, there is an
excellent book called "Incident Response: Investigating Computer
Crime" from authors Mandia and Prosise.  Unfortunately I can
almost guaruntee that the advice the book will give you is to
restore from the last known-good backup after re-installing the
OS cleanly.  If you were going to try to go hardcore forensics
on an intrusion you would have to already have a nice set of
utilities, hopefully on CD or floppy, ready to be mounted like:
ps, ls, top, The Coroner's Toolkit, etc (I'm sure I'm missing a
bunch).

Sorry for the doom and gloom (and the lame MS joke) but the book
is truly a fascinating read even if you have nothing to do with
incident response.

--- "Devon H. O'Dell" <dodell@sitetronics.com> wrote:
> Heh, I forgot to send this to the group... so here it is.
> 
> To check for suid and sgid programs, run the following
> command:
> 
> |find / -type f \(-perm -04000 -o -perm -02000 \)
> 
> Hope this helps.
> 
> --Devon
> |
> jahmon wrote:
> 
> > Devon,
> >
> > checked the /var/log - nothing strange found
> > ran chkrootkit  - nothing found
> > checked user accounts - no new accounts found
> >
> > how do I check for suid permissions.
> >
> > Thanks,
> >
> > jahmon
> > On Thursday, Aug 28, 2003, at 10:55 US/Eastern, Devon H.
> O'Dell wrote:
> >
> >> You will want to read everything in /var/log, run
> chkrootkit, check 
> >> out .history files, look for new user accounts, look for
> files with 
> >> suid permissions and other similar stuff. I don't know of a
> site that 
> >> really says what exactly to do. If someone knows such a
> reference, 
> >> it'd be highly useful. Otherwise, is anybody willing to
> write one 
> >> (I'd be willing to contribute).
> >>
> >> One good thing may be to search for computer forensics on
> Google; 
> >> specifically for comprimised servers. Combining those and
> other words 
> >> may give you varying levels of success, I think.
> >>
> >> --Devon
> >>
> >> jahmon wrote:
> >>
> >>> I have a server that has been compromised.
> >>> I'm running version 4.6.2
> >>> when I do
> >>>
> >>> >last
> >>>
> >>> this line comes up in the list.
> >>> shutdown         ~                         Thu Aug 28
> 05:22
> >>> That was the time the server went down.
> >>> There seemed to be some configuration changes.
> >>> Some of the files seemed to revert back to default
> versions
> >>> (httpd.conf, resolv.conf)
> >>>
> >>> Does anyone have a clue what type of exploit they may have
> used?
> >>> Is there anyway I can find out if there are any trojans
> installed?
> >>>
> >>> Thanks
> >>>
> >>> jahmon
> >>>
> >>> _______________________________________________
> >>> freebsd-security@freebsd.org mailing list
> >>> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> >>> To unsubscribe, send any mail to 
> >>> "freebsd-security-unsubscribe@freebsd.org"
> >>>
> >>>
> >>
> >
> >
> >
> 
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
"freebsd-security-unsubscribe@freebsd.org"


=====
-----------------------------------------------------------
Emo is what happens when the glee club goes punk.       
-----------------------------------------------------------

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com