Date: Sun, 20 Dec 1998 12:44:05 -0500 (EST) From: Barrett Richardson <brich@aye.net> To: Alejandro Galindo Chairez AGALINDO <agalindo@servidor.exsocom.com.mx> Cc: freebsd-security@FreeBSD.ORG Subject: Re: udp security Message-ID: <Pine.BSF.3.96.981220120424.26582B-100000@phoenix.aye.net> In-Reply-To: <Pine.BSF.3.96.981220102303.28050A-100000@servidor.exsocom.com.mx>
next in thread | previous in thread | raw e-mail | index | archive | help
Do you want to shut the guys out or find out what they are doing? A re-install may be safest at this point. Some simple things you could do - check the rc files and root's .profile, .bash_profile or whatever for booby traps. Disable network services that you can live with out use nmap to do a port scan and try to identify what else there is. Do a 'grep :0: /etc/master.passwd' and look for bogus priveleged accounts. Check timestamps in /etc/services and /etc/inetd.conf and looks for extra entries there. Turn on process accounting (stash the accounting file in an out of the way place). Make hard links to /var/log/messages, history files and hide them somewhere. You may want to set the append only flag on various things like /var/log/messages, .history, /etc/master.passwd and raise the secure level. Inventory suid binaries on the system (look for a setuid editor or vipw). Be extra careful. A cracker would probably rather destroy your system that leave evidence that can't be erased. Maybe hide the 'rm' and 'dd' commands and replace them with something that does nothing. Entertain the idea that multiple backdoors could be in place and they could be making new ones while you plugging old ones -- a clean slate may be your most economical fix if you don't find something obvious quickly. -- Barrett On Sun, 20 Dec 1998, Alejandro Galindo Chairez AGALINDO wrote: > My name is Alejandro and i have some servers in Mexico with FreeBSD 2.2.5, > 2.2.6 and 2.2.7 releases (from Walnut Creck CDROM) > > One mounth ago my servers was been attacked from some hackers, i was > monitoring their activities and i only know that they are using the user > datagram protocolo, i installed a firewall but this cant stop their > activities, iam worried becouse last week they delete the log files from > /var/log and last day they access one of my server with a username and a > password (they created the username and password, they access the server > for 3 minutes and then they delete the user) IAM WORRIED becouse i dont > know how they did that, the server violated had the 2.2.5 version and i > upgrade it to 2.2.7 release, but this morning the hackers insist in access > my servers. > > i need help, i need to know how to protect my servers, but the most > important in my mind is to know how they are accessing the servers, i > buyed the Firewalls book from Oreally & associates and i was using the > firewall with ipfw, but this dont stop the hackers. > > thanks for your help > > Alejandro Galindo > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.981220120424.26582B-100000>