hacked
Alex de Kruijff
freebsd at akruijff.dds.nl
Tue Mar 9 15:50:11 PST 2004
On Tue, Mar 09, 2004 at 02:56:15AM +0800, re re wrote:
> hello
> despite having ipfilter blocking all ports except 80 21 and 22, tripwire, and scoring 999999 in nmap, my website got defaced.
> the box is currently unplugged. i wanted to know what is the best way to find out who did it and how they got in, and what to do from here. tripwire shows a lot of files changed, most of which could be attributed to cvsup'ing recently. any other security precautions to take disaster recovery guides? i've already changed p/w's on my other boxes.
Dear Re,
Could you please cut you text so that the lines are less then 72 char.
I'm on a console and this does read a bit difficult.
What you could do to make you box more secure:
- Run portsentry
- Run a jail
Whow you can find out how they broke in and who they are?
- The log files whould be your first clue. However this could be
modified by the cracker.
- Check changes in tripwire
- Look for strange files
- Check what programs are started
- Check of security compremisses.
- Check if any backdoors where installed.
--
Alex
Articles based on solutions that I use:
http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/
More information about the freebsd-questions
mailing list