Re: compromised server

From: twig les (twigles_at_yahoo.com)
Date: 08/28/03

  • Next message: Mike Tancsa: "new DoS technique (exploiting TCP retransmission timeouts)" 
    Date: Thu, 28 Aug 2003 09:45:24 -0700 (PDT)
To: "Devon H. O'Dell" <dodell@sitetronics.com>, jahmon <jahmon@jahmon.com>, freebsd-security@freebsd.org

    No one will be able to even guess how they got in without
    knowing what you are running on the box (IIS, MSSql, etc.
    [hahah, jk]). Although this may be belated, there is an
    excellent book called "Incident Response: Investigating Computer
    Crime" from authors Mandia and Prosise. Unfortunately I can
    almost guaruntee that the advice the book will give you is to
    restore from the last known-good backup after re-installing the
    OS cleanly. If you were going to try to go hardcore forensics
    on an intrusion you would have to already have a nice set of
    utilities, hopefully on CD or floppy, ready to be mounted like:
    ps, ls, top, The Coroner's Toolkit, etc (I'm sure I'm missing a
    bunch).

    Sorry for the doom and gloom (and the lame MS joke) but the book
    is truly a fascinating read even if you have nothing to do with
    incident response.

    --- "Devon H. O'Dell" <dodell@sitetronics.com> wrote:
    > Heh, I forgot to send this to the group... so here it is.
    >
    > To check for suid and sgid programs, run the following
    > command:
    >
    > |find / -type f \(-perm -04000 -o -perm -02000 \)
    >
    > Hope this helps.
    >
    > --Devon
    > |
    > jahmon wrote:
    >
    > > Devon,
    > >
    > > checked the /var/log - nothing strange found
    > > ran chkrootkit - nothing found
    > > checked user accounts - no new accounts found
    > >
    > > how do I check for suid permissions.
    > >
    > > Thanks,
    > >
    > > jahmon
    > > On Thursday, Aug 28, 2003, at 10:55 US/Eastern, Devon H.
    > O'Dell wrote:
    > >
    > >> You will want to read everything in /var/log, run
    > chkrootkit, check
    > >> out .history files, look for new user accounts, look for
    > files with
    > >> suid permissions and other similar stuff. I don't know of a
    > site that
    > >> really says what exactly to do. If someone knows such a
    > reference,
    > >> it'd be highly useful. Otherwise, is anybody willing to
    > write one
    > >> (I'd be willing to contribute).
    > >>
    > >> One good thing may be to search for computer forensics on
    > Google;
    > >> specifically for comprimised servers. Combining those and
    > other words
    > >> may give you varying levels of success, I think.
    > >>
    > >> --Devon
    > >>
    > >> jahmon wrote:
    > >>
    > >>> I have a server that has been compromised.
    > >>> I'm running version 4.6.2
    > >>> when I do
    > >>>
    > >>> >last
    > >>>
    > >>> this line comes up in the list.
    > >>> shutdown ~ Thu Aug 28
    > 05:22
    > >>> That was the time the server went down.
    > >>> There seemed to be some configuration changes.
    > >>> Some of the files seemed to revert back to default
    > versions
    > >>> (httpd.conf, resolv.conf)
    > >>>
    > >>> Does anyone have a clue what type of exploit they may have
    > used?
    > >>> Is there anyway I can find out if there are any trojans
    > installed?
    > >>>
    > >>> Thanks
    > >>>
    > >>> jahmon
    > >>>
    > >>> _______________________________________________
    > >>> freebsd-security@freebsd.org mailing list
    > >>> http://lists.freebsd.org/mailman/listinfo/freebsd-security
    > >>> To unsubscribe, send any mail to
    > >>> "freebsd-security-unsubscribe@freebsd.org"
    > >>>
    > >>>
    > >>
    > >
    > >
    > >
    >
    > _______________________________________________
    > freebsd-security@freebsd.org mailing list
    > http://lists.freebsd.org/mailman/listinfo/freebsd-security
    > To unsubscribe, send any mail to
    "freebsd-security-unsubscribe@freebsd.org"

    =====
    -----------------------------------------------------------
    Emo is what happens when the glee club goes punk.
    -----------------------------------------------------------

    __________________________________
    Do you Yahoo!?
    Yahoo! SiteBuilder - Free, easy-to-use web site design software
    http://sitebuilder.yahoo.com
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: Mike Tancsa: "new DoS technique (exploiting TCP retransmission timeouts)"

    Relevant Pages

    • Re:
      ... havent tried it yet. ... Do you Yahoo!? ... easy-to-use web site design software ... To unsubscribe, ...
      (freebsd-newbies)
    • Re: Filesystem problem
      ... >> Do you Yahoo!? ... >> To unsubscribe, send any mail to ... easy-to-use web site design software ...
      (freebsd-current)
    • RE: freebsd iso
      ... Subject: freebsd iso ... Do you Yahoo!? ... easy-to-use web site design software ... To unsubscribe, ...
      (freebsd-questions)
    • RE: "File size limit exceeded" problem in Red Hat 8
      ... a previous post) which comes standard in most RH installs, ... "File size limit exceeded" problem in Red Hat 8 ... > Do you Yahoo!? ... unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe ...
      (RedHat)
    • Re: Problem with kdvi font rendering after sarge-->etch upgrade
      ... I have no trouble opening these doucments on my ... Do You Yahoo!? ... Mail has the best spam protection around ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
      (Debian-User)