Need urgent help regarding security

Mark Jayson Alvarez jay2xra at yahoo.com
Thu Nov 17 04:13:27 GMT 2005 

Steve Bertrand <iaccounts at ibctech.ca> wrote:  
> Now what I want to do is to just reinstall the whole 
> operating system and secure it as possible as I can. Like 
> someone told, its just a waste to try to track it down 
> because the intruder might be located somewhere on the other 
> side of the world.

They are always on the other side of the world...this is the Internet.

If that is your solution, I would recommend reconfiguring your FTP
servers DNS entries, and applying another IP to the box,lest you be
affected again. However, that won't even fix it, becuase it will just be
found again by someone else.

Unplugging the box just informs the attacker that you are aware of them.
Moving the IP just makes people re-locate you. The solution is make the
box accessible to only those who need it...and only the services they
need.

.02 Steve
No,  that is not the solution I'm thinking of.. You see right now, that  machine contains at least 200 Gb of important files... I'm just  paranoid that the intruder might just launch an rm -rf. Right now we  don't have a backup of those files yet.
  
  I'm really eager to know how the intruder got into our machine, I'm  just afraid that he might be reading everything I am typing in the  terminal. I am also dissapointed because most of our server  configuration files are in my home directory but doing the ls /tmp....  I found those files. Those files are our proxy configurations  containing all of our peer proxies (ipaddress) and also the squid.conf  which I'm afraid that the intruder can use to launch an attack to our  proxy farm. You see those proxies aren't in a much secure mode yet but  they are the MOST critical service in our company because all of our  partners are passing through that proxies. Now what I really wan't to  do is to just do the right thing but only one by one. I got so many  replies, someone even suggested finding out the irc channel and try to  have a little chat with the intruders. Someone suggested putting up a  firewall before it and try to dump the packets to retrieve relevant  informations. I'm 
 really
 so confused right now as to where to start....  
  
  Right now, the server is currently inaccessible from the network, but  it is still running( I just remembered someone suggested not shutting  it down because the script the intruder used might get automatically  erased).
  
  From there... where should I start.?
  
  Thank you very much.
  
  
  
  


		
---------------------------------
 Yahoo! FareChase - Search multiple travel sites in one click.

More information about the freebsd-questions mailing list