compromised server
Guy P.
guy at device.dyndns.org
Thu Aug 28 08:22:44 PDT 2003
At 16:41 28/08/2003, jahmon wrote:
>I have a server that has been compromised.
>I'm running version 4.6.2
>when I do
>
> >last
>
>this line comes up in the list.
>shutdown ~ Thu Aug 28 05:22
>That was the time the server went down.
>There seemed to be some configuration changes.
>Some of the files seemed to revert back to default versions
>(httpd.conf, resolv.conf)
>
>Does anyone have a clue what type of exploit they may have used?
>Is there anyway I can find out if there are any trojans installed?
>
>Thanks
>
>jahmon
Usual process is to shut down the computer ASAP, never boot again from its
current disk till it's wiped out / or you retrieved all the information you
wanted.
Instead, boot of a CD (live filesystem if you got it, but install cd could
do too) and get sure to mount your (compromised) disk(s) readonly, without
running anything executable out of it.
Then proceed to investigation. First step would be chkrootkit (thu part of
its tests require you to run it "live" on the suspicious system). Also
spend some time reading the various /var/log files (but don't rely on their
integrity). If you have an aide or tripwire "image" of your system
somewhere, time to put it to use.
For more ideas you could read for instance the archives of honeynet
challenges ( http://project.honeynet.org/misc/chall.html ).
gd'luk
--
Guy
More information about the freebsd-security
mailing list