Re: compromised server
From: Joe Warner (rootman22_at_comcast.net)
Date: 08/29/03
- Previous message: Louis Kowolowski: "[louisk@bend.com: snort, postgres, bridge]"
- In reply to: jahmon: "compromised server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: jahmon <jahmon@jahmon.com>, freeBSD-security@freebsd.org Date: Fri, 29 Aug 2003 06:38:12 -0600
Hi Jahmon,
I'd highly recommend you try The Coroners Toolkit (TCT):
http://www.porcupine.org/forensics/tct.html
Take a look at "Help! Someone has broken into my system!'
http://www.fish.com/tct/help-when-broken-into
..at the bottom of the page.
Good luck,
Joe
On Thursday 28 August 2003 08:41 am, jahmon wrote:
> I have a server that has been compromised.
> I'm running version 4.6.2
> when I do
>
> >last
>
> this line comes up in the list.
> shutdown ~ Thu Aug 28 05:22
> That was the time the server went down.
> There seemed to be some configuration changes.
> Some of the files seemed to revert back to default versions
> (httpd.conf, resolv.conf)
>
> Does anyone have a clue what type of exploit they may have used?
> Is there anyway I can find out if there are any trojans installed?
>
> Thanks
>
> jahmon
>
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Louis Kowolowski: "[louisk@bend.com: snort, postgres, bridge]"
- In reply to: jahmon: "compromised server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
