compromised server
twig les
twigles at yahoo.com
Thu Aug 28 09:45:26 PDT 2003
No one will be able to even guess how they got in without
knowing what you are running on the box (IIS, MSSql, etc.
[hahah, jk]). Although this may be belated, there is an
excellent book called "Incident Response: Investigating Computer
Crime" from authors Mandia and Prosise. Unfortunately I can
almost guaruntee that the advice the book will give you is to
restore from the last known-good backup after re-installing the
OS cleanly. If you were going to try to go hardcore forensics
on an intrusion you would have to already have a nice set of
utilities, hopefully on CD or floppy, ready to be mounted like:
ps, ls, top, The Coroner's Toolkit, etc (I'm sure I'm missing a
bunch).
Sorry for the doom and gloom (and the lame MS joke) but the book
is truly a fascinating read even if you have nothing to do with
incident response.
--- "Devon H. O'Dell" <dodell at sitetronics.com> wrote:
> Heh, I forgot to send this to the group... so here it is.
>
> To check for suid and sgid programs, run the following
> command:
>
> |find / -type f \(-perm -04000 -o -perm -02000 \)
>
> Hope this helps.
>
> --Devon
> |
> jahmon wrote:
>
> > Devon,
> >
> > checked the /var/log - nothing strange found
> > ran chkrootkit - nothing found
> > checked user accounts - no new accounts found
> >
> > how do I check for suid permissions.
> >
> > Thanks,
> >
> > jahmon
> > On Thursday, Aug 28, 2003, at 10:55 US/Eastern, Devon H.
> O'Dell wrote:
> >
> >> You will want to read everything in /var/log, run
> chkrootkit, check
> >> out .history files, look for new user accounts, look for
> files with
> >> suid permissions and other similar stuff. I don't know of a
> site that
> >> really says what exactly to do. If someone knows such a
> reference,
> >> it'd be highly useful. Otherwise, is anybody willing to
> write one
> >> (I'd be willing to contribute).
> >>
> >> One good thing may be to search for computer forensics on
> Google;
> >> specifically for comprimised servers. Combining those and
> other words
> >> may give you varying levels of success, I think.
> >>
> >> --Devon
> >>
> >> jahmon wrote:
> >>
> >>> I have a server that has been compromised.
> >>> I'm running version 4.6.2
> >>> when I do
> >>>
> >>> >last
> >>>
> >>> this line comes up in the list.
> >>> shutdown ~ Thu Aug 28
> 05:22
> >>> That was the time the server went down.
> >>> There seemed to be some configuration changes.
> >>> Some of the files seemed to revert back to default
> versions
> >>> (httpd.conf, resolv.conf)
> >>>
> >>> Does anyone have a clue what type of exploit they may have
> used?
> >>> Is there anyway I can find out if there are any trojans
> installed?
> >>>
> >>> Thanks
> >>>
> >>> jahmon
> >>>
> >>> _______________________________________________
> >>> freebsd-security at freebsd.org mailing list
> >>> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> >>> To unsubscribe, send any mail to
> >>> "freebsd-security-unsubscribe at freebsd.org"
> >>>
> >>>
> >>
> >
> >
> >
>
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
"freebsd-security-unsubscribe at freebsd.org"
=====
-----------------------------------------------------------
Emo is what happens when the glee club goes punk.
-----------------------------------------------------------
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
More information about the freebsd-security
mailing list