what www perl script is running?
Olivier Nicole
on at cs.ait.ac.th
Tue Aug 25 10:59:17 UTC 2009
Colin,
> I suppose this calls for a "bare-metal" reinstall.
> Is it worth first trying to determine how my system was broken into?
It really depends on:
- what is installed on that machine (how long it would take to
reinstall, how many softwares, ports, specially configured stuff).
- how important is is that you keep the machine running (like the only
web server generating all the revenue for your company vs. your home
mail server that is being used for you and your household).
If you can afford to take the system down for enough time to reinstall
it from scratch, it is the best: you will know 100% that you did not
forget some backdoor somewhere, you make install updated software, you
may implement those fancy changes that you have always wanted to
implement, but that you would not do because you were afraid of
breaking a working server.
In any case, it is a good exercise to try to find out how you were
broken into: security hole in the OS or some port, hopefully an
upgrade will close them, a security hole in some home made script? If
you re-install that script on your new server without closing the
holes, the new server will be vulnerable too, and soon compromised.
It may also be good to dig from the log and try to find who has been
reaching your infected server: it happened to me (third party software
installed by an outside contractor), from the log I contacted all the
people that I could locate upstream, about 5 to 10% of them where not
aware that they had been infected too...
Trying to understand how you get compromised is a good way to gain
deeper knowledge about your system.
Best regards,
Olivier
More information about the freebsd-questions
mailing list