"sh -i" My server was hacked. How can i found hole on my
server?
Oleg Rusanov
freebsd-security at molecon.ru
Mon Jun 27 11:34:49 GMT 2005
> Also check that your kernel wasn't recompiled and that there aren't any
> (known at least) rootkits (chkrootkit).
> Anyway, IMHO, there are more ways to hide something in your system..
> If I were you, I'd do all this to try to know the real reason and to
> keep that in mind for the future. Finally, I'd follow Jan Muenther's
> advice to be sure that you're absolutely clean.
amd64# uname -mirs
FreeBSD 5.4-STABLE amd64 L71
amd64#
amd64# kldstat
Id Refs Address Size Name
1 2 0xffffffff80100000 470930 kernel
2 1 0xffffffffb45b0000 2213 nullfs.ko
amd64# sysctl kern.securelevel
kern.securelevel: -1
Shell account only for me. And "Php open_basedir" was disabled only for
one account. So phpshell may go only from this account, but there are
no phpbb hole on this account. hm.
chrootkit not working, also after reinstall.
Checking `bindshell'... INFECTED (PORTS: 465 4000)
Checking `lkm'...
here is he checking for a log time, i think its not normal.
I continue to search.
--
Regards,
Oleg mailto:freebsd-security at molecon.ru
More information about the freebsd-security
mailing list