"sh -i" My server was hacked. How can i found hole on my server?

Kövesdán Gábor gabor.kovesdan at t-hosting.hu
Mon Jun 27 10:31:34 GMT 2005 

Oleg Rusanov wrote:

>     What is better to do for clean my system?
>
>  
>
You should backup the data You need. You can also save You configuration 
files: httpd.conf, etc. Then make a clean install from disc. The 
intruder could install a rootkit, and modify system binaries. The best 
thing You can do is reinstall everything.

>How can i found hole on my server?
>
>  
>
It is the harder part.
1, Check You FreeBSD version in uname -a. Is it up-to-date? Have You 
upgraded to the appropriate security branch? Or does it have some 
security issues?
2, Think about what network daemons You are using. Check the version 
numbers and look for security advisories on the project homepage and in 
mailing list archives. Does something have a vulnerability?
3, Now. Check all the homepages You have. There could be somewhere a 
deficiency in point of security? If You use open-source portal projects 
like phpbb You mentioned, look for security advisories on the project 
homepage, or in mailing list archives. If You have custom php code, You 
should examine them.
4, You can never trust anybody.... Is there local users on the machine? 
They might take a local root exploit if there is such vulnerability. If 
You haven't found the hole so far, You should look for advisories 
again... You should examine every package that You have installed.

The prevention is extremely important:
1, Subscribe to freebsd-announce and to freebsd-security-notifications 
and upgrade Your system if necessary.
2, Subscribe to announce and security lists of *each* software You use 
and upgrade them if necessary.
3, Place only trusted and secure code to the hosted websites.
4, If somebody don't need a unix account don't give him one. Or if he 
need, try to minimize the privileges he gets. The most powerful 
protection is to setup a jail environment and using this for giving out 
user accounts.

Cheers,

Gábor Kövesdán

P.S.: I've removed freebsd-amd64 from cc list, since it is related to 
freebsd-security. *** 
<http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications>*

More information about the freebsd-security mailing list