Need urgent help regarding security
Mark Jayson Alvarez
jay2xra at yahoo.com
Thu Nov 17 04:13:27 GMT 2005
Steve Bertrand <iaccounts at ibctech.ca> wrote:
> Now what I want to do is to just reinstall the whole
> operating system and secure it as possible as I can. Like
> someone told, its just a waste to try to track it down
> because the intruder might be located somewhere on the other
> side of the world.
They are always on the other side of the world...this is the Internet.
If that is your solution, I would recommend reconfiguring your FTP
servers DNS entries, and applying another IP to the box,lest you be
affected again. However, that won't even fix it, becuase it will just be
found again by someone else.
Unplugging the box just informs the attacker that you are aware of them.
Moving the IP just makes people re-locate you. The solution is make the
box accessible to only those who need it...and only the services they
No, that is not the solution I'm thinking of.. You see right now, that machine contains at least 200 Gb of important files... I'm just paranoid that the intruder might just launch an rm -rf. Right now we don't have a backup of those files yet.
I'm really eager to know how the intruder got into our machine, I'm just afraid that he might be reading everything I am typing in the terminal. I am also dissapointed because most of our server configuration files are in my home directory but doing the ls /tmp.... I found those files. Those files are our proxy configurations containing all of our peer proxies (ipaddress) and also the squid.conf which I'm afraid that the intruder can use to launch an attack to our proxy farm. You see those proxies aren't in a much secure mode yet but they are the MOST critical service in our company because all of our partners are passing through that proxies. Now what I really wan't to do is to just do the right thing but only one by one. I got so many replies, someone even suggested finding out the irc channel and try to have a little chat with the intruders. Someone suggested putting up a firewall before it and try to dump the packets to retrieve relevant informations. I'm
so confused right now as to where to start....
Right now, the server is currently inaccessible from the network, but it is still running( I just remembered someone suggested not shutting it down because the script the intruder used might get automatically erased).
From there... where should I start.?
Thank you very much.
Yahoo! FareChase - Search multiple travel sites in one click.
More information about the freebsd-questions