compromised server

James admin at oxygenshell.com
Thu Aug 28 09:16:45 PDT 2003 

Hello Jahmon,

    In regards to your question I would check over your resolv.conf and
httpd.conf and check the /var/log/messages and various other logging
utilities. Also,
  a.. Run only the services you plan on using.
  b.. Use only the services that are necessary.
  c.. Use secure passwords.
  d.. Force users on your machine to use secure passwords.
  e.. Restrict root access to a minimal set of services.
  f.. Restrict access to these services via inetd and tcpwrappers.
  g.. Restrict access to your box using IP Firewall services (ipfw).
  h.. Log events on your machine and understand what logs are being kept.
  i.. Install some type of system change detection software so that you can
tell if your server has been compromised.
  j.. Back up your server's data so that if it is compromised you can
reinstall from scratch, but still have your data available.
  k.. Finally, physical security is important. The more people who have
physical access to the machine, the less secure your server is.
when this is completed, run a sockstat  command on the root prompt, This
will enable you to view various programs and ports being use. If you suspect
something that's not binded onto the proper port firewall it until you can
reinstall the program.

In anycase being hacked rootkits install various programs to setup setuid
programs and or utilities for sshd and other programs. In many cases for my
clients machines I would login and update all programs run cvsup and make
buildworld ; make installworld over again. (Don't forget sockstat) This will
enable you to see if there rootkit was enabling any remote open ports to
drop to root prompt.

Thank You,
James Thomas
Sr. Administrator
admin at oxygenshell.com
----- Original Message -----
From: "jahmon" <jahmon at jahmon.com>
To: <freeBSD-security at freebsd.org>
Sent: Thursday, August 28, 2003 10:41 AM
Subject: compromised server


> I have a server that has been compromised.
> I'm running version 4.6.2
> when I do
>
>  >last
>
> this line comes up in the list.
> shutdown         ~                         Thu Aug 28 05:22
> That was the time the server went down.
> There seemed to be some configuration changes.
> Some of the files seemed to revert back to default versions
> (httpd.conf, resolv.conf)
>
> Does anyone have a clue what type of exploit they may have used?
> Is there anyway I can find out if there are any trojans installed?
>
> Thanks
>
> jahmon
>
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
"freebsd-security-unsubscribe at freebsd.org"
>
>

More information about the freebsd-security mailing list