Cleaning up after attack?
Erik Norgaard
norgaard at locolomo.org
Mon Feb 15 10:49:59 UTC 2010
On 15/02/10 11:13, Dr. Jennifer Nussbaum wrote:
> Hi. I have an up-to-date FreeBSD 7.2 box that has been compromised. Someone aparently got in to an account with certain admin priveleges and has been
> sending spam.
>
> I disabled the account, shut off my MTA and used pf to block all traffic to port 25 out for good measure.
>
> How do i analyse what might have happened and what has been installed?
>
> Andis there anything to do other than rebuild the entire system to ensure that its clean?
If the attacker had privileged access then he may have got a copy of
master.password, you should assume all accounts compromised, if user
data are shared with other servers, then all should be considered
compromised.
Blocking certain access say port 25 is insufficient. You should get it
off the net until you are sure the system is clean as the attacker may
have installed some daemon that communicates on a non-standard port.
If you had things like tripwire installed you could get an idea of files
modified. Otherwise you can use find to create a list of files modified
since the attack, but this is only useful insofar as the attacker did
not bother to reset access or modification times.
It may be faster to rebuild everything rather than trying to figure out
what may have been modified, if your main concern is to get the system
back up rather than investigate the incident.
BR, Erik
--
Erik Nørgaard
Ph: +34.666334818/+34.915211157 http://www.locolomo.org
More information about the freebsd-questions
mailing list