Re: compromised server

From: Guy P. (guy_at_device.dyndns.org)
Date: 08/28/03

  • Next message: Devon H. O'Dell: "Re: compromised server" 
    Date: Thu, 28 Aug 2003 17:22:25 +0200
To: freeBSD-security@freebsd.org

    At 16:41 28/08/2003, jahmon wrote:
    >I have a server that has been compromised.
    >I'm running version 4.6.2
    >when I do
    >
    > >last
    >
    >this line comes up in the list.
    >shutdown ~ Thu Aug 28 05:22
    >That was the time the server went down.
    >There seemed to be some configuration changes.
    >Some of the files seemed to revert back to default versions
    >(httpd.conf, resolv.conf)
    >
    >Does anyone have a clue what type of exploit they may have used?
    >Is there anyway I can find out if there are any trojans installed?
    >
    >Thanks
    >
    >jahmon

    Usual process is to shut down the computer ASAP, never boot again from its
    current disk till it's wiped out / or you retrieved all the information you
    wanted.
    Instead, boot of a CD (live filesystem if you got it, but install cd could
    do too) and get sure to mount your (compromised) disk(s) readonly, without
    running anything executable out of it.

    Then proceed to investigation. First step would be chkrootkit (thu part of
    its tests require you to run it "live" on the suspicious system). Also
    spend some time reading the various /var/log files (but don't rely on their
    integrity). If you have an aide or tripwire "image" of your system
    somewhere, time to put it to use.

    For more ideas you could read for instance the archives of honeynet
    challenges ( http://project.honeynet.org/misc/chall.html ).

    gd'luk 

    --
         Guy 
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
  • Next message: Devon H. O'Dell: "Re: compromised server"
    • Quantcast