From owner-freebsd-security Sun Dec 20 09:46:24 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA01964 for freebsd-security-outgoing; Sun, 20 Dec 1998 09:46:24 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from phoenix (phoenix.aye.net [206.185.8.134]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id JAA01959 for ; Sun, 20 Dec 1998 09:46:23 -0800 (PST) (envelope-from brich@aye.net) Received: (qmail 5843 invoked by uid 7506); 20 Dec 1998 17:44:05 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 20 Dec 1998 17:44:05 -0000 Date: Sun, 20 Dec 1998 12:44:05 -0500 (EST) From: Barrett Richardson To: Alejandro Galindo Chairez AGALINDO cc: freebsd-security@FreeBSD.ORG Subject: Re: udp security In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Do you want to shut the guys out or find out what they are doing? A re-install may be safest at this point. Some simple things you could do - check the rc files and root's .profile, .bash_profile or whatever for booby traps. Disable network services that you can live with out use nmap to do a port scan and try to identify what else there is. Do a 'grep :0: /etc/master.passwd' and look for bogus priveleged accounts. Check timestamps in /etc/services and /etc/inetd.conf and looks for extra entries there. Turn on process accounting (stash the accounting file in an out of the way place). Make hard links to /var/log/messages, history files and hide them somewhere. You may want to set the append only flag on various things like /var/log/messages, .history, /etc/master.passwd and raise the secure level. Inventory suid binaries on the system (look for a setuid editor or vipw). Be extra careful. A cracker would probably rather destroy your system that leave evidence that can't be erased. Maybe hide the 'rm' and 'dd' commands and replace them with something that does nothing. Entertain the idea that multiple backdoors could be in place and they could be making new ones while you plugging old ones -- a clean slate may be your most economical fix if you don't find something obvious quickly. -- Barrett On Sun, 20 Dec 1998, Alejandro Galindo Chairez AGALINDO wrote: > My name is Alejandro and i have some servers in Mexico with FreeBSD 2.2.5, > 2.2.6 and 2.2.7 releases (from Walnut Creck CDROM) > > One mounth ago my servers was been attacked from some hackers, i was > monitoring their activities and i only know that they are using the user > datagram protocolo, i installed a firewall but this cant stop their > activities, iam worried becouse last week they delete the log files from > /var/log and last day they access one of my server with a username and a > password (they created the username and password, they access the server > for 3 minutes and then they delete the user) IAM WORRIED becouse i dont > know how they did that, the server violated had the 2.2.5 version and i > upgrade it to 2.2.7 release, but this morning the hackers insist in access > my servers. > > i need help, i need to know how to protect my servers, but the most > important in my mind is to know how they are accessing the servers, i > buyed the Firewalls book from Oreally & associates and i was using the > firewall with ipfw, but this dont stop the hackers. > > thanks for your help > > Alejandro Galindo > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message