Cleaning up after attack?

Erik Norgaard norgaard at
Mon Feb 15 10:49:59 UTC 2010

On 15/02/10 11:13, Dr. Jennifer Nussbaum wrote:
> Hi. I have an up-to-date FreeBSD 7.2 box that has been compromised. Someone aparently got in to an account with certain admin priveleges and has been
> sending spam.
> I disabled the account, shut off my MTA and used pf to block all traffic to port 25 out for good measure.
> How do i analyse what might have happened and what has been installed?
> Andis there anything to do other than rebuild the entire system to ensure that its clean?

If the attacker had privileged access then he may have got a copy of 
master.password, you should assume all accounts compromised, if user 
data are shared with other servers, then all should be considered 

Blocking certain access say port 25 is insufficient. You should get it 
off the net until you are sure the system is clean as the attacker may 
have installed some daemon that communicates on a non-standard port.

If you had things like tripwire installed you could get an idea of files 
modified. Otherwise you can use find to create a list of files modified 
since the attack, but this is only useful insofar as the attacker did 
not bother to reset access or modification times.

It may be faster to rebuild everything rather than trying to figure out 
what may have been modified, if your main concern is to get the system 
back up rather than investigate the incident.

BR, Erik
Erik Nørgaard
Ph: +34.666334818/+34.915211157        

More information about the freebsd-questions mailing list