Re: compromised server

From: Devon H. O'Dell (dodell_at_sitetronics.com)
Date: 08/28/03

  • Next message: James: "Re: compromised server" 
    Date: Thu, 28 Aug 2003 18:15:00 +0200
To: jahmon <jahmon@jahmon.com>, freebsd-security@freebsd.org

    Heh, I forgot to send this to the group... so here it is.

    To check for suid and sgid programs, run the following command:

    |find / -type f \(-perm -04000 -o -perm -02000 \)

    Hope this helps.

    --Devon
    |
    jahmon wrote:

    > Devon,
    >
    > checked the /var/log - nothing strange found
    > ran chkrootkit - nothing found
    > checked user accounts - no new accounts found
    >
    > how do I check for suid permissions.
    >
    > Thanks,
    >
    > jahmon
    > On Thursday, Aug 28, 2003, at 10:55 US/Eastern, Devon H. O'Dell wrote:
    >
    >> You will want to read everything in /var/log, run chkrootkit, check
    >> out .history files, look for new user accounts, look for files with
    >> suid permissions and other similar stuff. I don't know of a site that
    >> really says what exactly to do. If someone knows such a reference,
    >> it'd be highly useful. Otherwise, is anybody willing to write one
    >> (I'd be willing to contribute).
    >>
    >> One good thing may be to search for computer forensics on Google;
    >> specifically for comprimised servers. Combining those and other words
    >> may give you varying levels of success, I think.
    >>
    >> --Devon
    >>
    >> jahmon wrote:
    >>
    >>> I have a server that has been compromised.
    >>> I'm running version 4.6.2
    >>> when I do
    >>>
    >>> >last
    >>>
    >>> this line comes up in the list.
    >>> shutdown ~ Thu Aug 28 05:22
    >>> That was the time the server went down.
    >>> There seemed to be some configuration changes.
    >>> Some of the files seemed to revert back to default versions
    >>> (httpd.conf, resolv.conf)
    >>>
    >>> Does anyone have a clue what type of exploit they may have used?
    >>> Is there anyway I can find out if there are any trojans installed?
    >>>
    >>> Thanks
    >>>
    >>> jahmon
    >>>
    >>> _______________________________________________
    >>> freebsd-security@freebsd.org mailing list
    >>> http://lists.freebsd.org/mailman/listinfo/freebsd-security
    >>> To unsubscribe, send any mail to
    >>> "freebsd-security-unsubscribe@freebsd.org"
    >>>
    >>>
    >>
    >
    >
    >

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: James: "Re: compromised server"