From owner-freebsd-security Mon Feb 19 13:20:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 4C6A437B401 for ; Mon, 19 Feb 2001 13:20:31 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id f1JLKTp23491; Mon, 19 Feb 2001 13:20:29 -0800 (PST) Date: Mon, 19 Feb 2001 13:20:29 -0800 From: Alfred Perlstein To: Andy Kim Cc: freebsd-security@FreeBSD.ORG Subject: Re: ICMP floods Message-ID: <20010219132029.P6641@fw.wintelcom.net> References: <007901c09ab9$77d5c720$7300a8c0@DOMAIN> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <007901c09ab9$77d5c720$7300a8c0@DOMAIN>; from andy@internetesl.com on Mon, Feb 19, 2001 at 01:18:12PM -0800 X-all-your-base: are belong to us. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Andy Kim [010219 13:18] wrote: > Some of the servers have been getting hit several times with ICMP > floods from our FreeBSD server and we can't figure out why. They > believe that someone had hacked in and put a trojan on our box. > Is there any way of finding out what's going on and more importantly, > how to fix the problem? Any help would be greatly appreciated as > I am rather new to FreeBSD. First off, please wrap lines at 70 characters. As far as "recovering" this machine, your best bet is to do a backup of all the _data_ (NOT executables) on the mahcine, ie, html, or whatever, then do a complete reinstall. Otherwise you risk a backdoor remaining in the system and wasting even more of your time and reasources. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message