compromised server

[Devon H. O'Dell]

Heh, I forgot to send this to the group... so here it is.

To check for suid and sgid programs, run the following command:

|find / -type f \(-perm -04000 -o -perm -02000 \)

Hope this helps.

--Devon
|
jahmon wrote:

> Devon,
>
> checked the /var/log - nothing strange found
> ran chkrootkit  - nothing found
> checked user accounts - no new accounts found
>
> how do I check for suid permissions.
>
> Thanks,
>
> jahmon
> On Thursday, Aug 28, 2003, at 10:55 US/Eastern, Devon H. O'Dell wrote:
>
>> You will want to read everything in /var/log, run chkrootkit, check 
>> out .history files, look for new user accounts, look for files with 
>> suid permissions and other similar stuff. I don't know of a site that 
>> really says what exactly to do. If someone knows such a reference, 
>> it'd be highly useful. Otherwise, is anybody willing to write one 
>> (I'd be willing to contribute).
>>
>> One good thing may be to search for computer forensics on Google; 
>> specifically for comprimised servers. Combining those and other words 
>> may give you varying levels of success, I think.
>>
>> --Devon
>>
>> jahmon wrote:
>>
>>> I have a server that has been compromised.
>>> I'm running version 4.6.2
>>> when I do
>>>
>>> >last
>>>
>>> this line comes up in the list.
>>> shutdown         ~                         Thu Aug 28 05:22
>>> That was the time the server went down.
>>> There seemed to be some configuration changes.
>>> Some of the files seemed to revert back to default versions
>>> (httpd.conf, resolv.conf)
>>>
>>> Does anyone have a clue what type of exploit they may have used?
>>> Is there anyway I can find out if there are any trojans installed?
>>>
>>> Thanks
>>>
>>> jahmon
>>>
>>> _______________________________________________
>>> freebsd-security at freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-security
>>> To unsubscribe, send any mail to 
>>> "freebsd-security-unsubscribe at freebsd.org"
>>>
>>>
>>
>
>
>