hacked

[Alex de Kruijff]

On Tue, Mar 09, 2004 at 02:56:15AM +0800, re re wrote:
> hello
> despite having ipfilter blocking all ports except 80 21 and 22, tripwire, and scoring 999999 in nmap, my website got defaced.
> the box is currently unplugged.  i wanted to know what is the best way to find out who did it and how they got in, and what to do from here.  tripwire shows a lot of files changed, most of which could be attributed to cvsup'ing recently.  any other security precautions to take disaster recovery guides?  i've already changed p/w's on my other boxes.

Dear Re,

Could you please cut you text so that the lines are less then 72 char.
I'm on a console and this does read a bit difficult.

What you could do to make you box more secure:
- Run portsentry
- Run a jail

Whow you can find out how they broke in and who they are?
- The log files whould be your first clue. However this could be
  modified by the cracker.
- Check changes in tripwire
- Look for strange files
- Check what programs are started
- Check of security compremisses.
- Check if any backdoors where installed.

-- 
Alex

Articles based on solutions that I use:
http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/