I have a server that has been compromised. I'm running version 4.6.2 when I do >last this line comes up in the list. shutdown ~ Thu Aug 28 05:22 That was the time the server went down. There seemed to be some configuration changes. Some of the files seemed to revert back to default versions (httpd.conf, resolv.conf) Does anyone have a clue what type of exploit they may have used? Is there anyway I can find out if there are any trojans installed? Thanks jahmon
At 16:41 28/08/2003, jahmon wrote:>I have a server that has been compromised. >I'm running version 4.6.2 >when I do > > >last > >this line comes up in the list. >shutdown ~ Thu Aug 28 05:22 >That was the time the server went down. >There seemed to be some configuration changes. >Some of the files seemed to revert back to default versions >(httpd.conf, resolv.conf) > >Does anyone have a clue what type of exploit they may have used? >Is there anyway I can find out if there are any trojans installed? > >Thanks > >jahmonUsual process is to shut down the computer ASAP, never boot again from its current disk till it's wiped out / or you retrieved all the information you wanted. Instead, boot of a CD (live filesystem if you got it, but install cd could do too) and get sure to mount your (compromised) disk(s) readonly, without running anything executable out of it. Then proceed to investigation. First step would be chkrootkit (thu part of its tests require you to run it "live" on the suspicious system). Also spend some time reading the various /var/log files (but don't rely on their integrity). If you have an aide or tripwire "image" of your system somewhere, time to put it to use. For more ideas you could read for instance the archives of honeynet challenges ( http://project.honeynet.org/misc/chall.html ). gd'luk -- Guy
Heh, I forgot to send this to the group... so here it is. To check for suid and sgid programs, run the following command: |find / -type f \(-perm -04000 -o -perm -02000 \) Hope this helps. --Devon | jahmon wrote:> Devon, > > checked the /var/log - nothing strange found > ran chkrootkit - nothing found > checked user accounts - no new accounts found > > how do I check for suid permissions. > > Thanks, > > jahmon > On Thursday, Aug 28, 2003, at 10:55 US/Eastern, Devon H. O'Dell wrote: > >> You will want to read everything in /var/log, run chkrootkit, check >> out .history files, look for new user accounts, look for files with >> suid permissions and other similar stuff. I don't know of a site that >> really says what exactly to do. If someone knows such a reference, >> it'd be highly useful. Otherwise, is anybody willing to write one >> (I'd be willing to contribute). >> >> One good thing may be to search for computer forensics on Google; >> specifically for comprimised servers. Combining those and other words >> may give you varying levels of success, I think. >> >> --Devon >> >> jahmon wrote: >> >>> I have a server that has been compromised. >>> I'm running version 4.6.2 >>> when I do >>> >>> >last >>> >>> this line comes up in the list. >>> shutdown ~ Thu Aug 28 05:22 >>> That was the time the server went down. >>> There seemed to be some configuration changes. >>> Some of the files seemed to revert back to default versions >>> (httpd.conf, resolv.conf) >>> >>> Does anyone have a clue what type of exploit they may have used? >>> Is there anyway I can find out if there are any trojans installed? >>> >>> Thanks >>> >>> jahmon >>> >>> _______________________________________________ >>> freebsd-security@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-security >>> To unsubscribe, send any mail to >>> "freebsd-security-unsubscribe@freebsd.org" >>> >>> >> > > >
Hello Jahmon,
In regards to your question I would check over your resolv.conf and
httpd.conf and check the /var/log/messages and various other logging
utilities. Also,
a.. Run only the services you plan on using.
b.. Use only the services that are necessary.
c.. Use secure passwords.
d.. Force users on your machine to use secure passwords.
e.. Restrict root access to a minimal set of services.
f.. Restrict access to these services via inetd and tcpwrappers.
g.. Restrict access to your box using IP Firewall services (ipfw).
h.. Log events on your machine and understand what logs are being kept.
i.. Install some type of system change detection software so that you can
tell if your server has been compromised.
j.. Back up your server's data so that if it is compromised you can
reinstall from scratch, but still have your data available.
k.. Finally, physical security is important. The more people who have
physical access to the machine, the less secure your server is.
when this is completed, run a sockstat command on the root prompt, This
will enable you to view various programs and ports being use. If you suspect
something that's not binded onto the proper port firewall it until you can
reinstall the program.
In anycase being hacked rootkits install various programs to setup setuid
programs and or utilities for sshd and other programs. In many cases for my
clients machines I would login and update all programs run cvsup and make
buildworld ; make installworld over again. (Don't forget sockstat) This will
enable you to see if there rootkit was enabling any remote open ports to
drop to root prompt.
Thank You,
James Thomas
Sr. Administrator
admin@oxygenshell.com
----- Original Message -----
From: "jahmon" <jahmon@jahmon.com>
To: <freeBSD-security@freebsd.org>
Sent: Thursday, August 28, 2003 10:41 AM
Subject: compromised server
> I have a server that has been compromised.
> I'm running version 4.6.2
> when I do
>
> >last
>
> this line comes up in the list.
> shutdown ~ Thu Aug 28 05:22
> That was the time the server went down.
> There seemed to be some configuration changes.
> Some of the files seemed to revert back to default versions
> (httpd.conf, resolv.conf)
>
> Does anyone have a clue what type of exploit they may have used?
> Is there anyway I can find out if there are any trojans installed?
>
> Thanks
>
> jahmon
>
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
"freebsd-security-unsubscribe@freebsd.org">
>
Hi Jahmon, I'd highly recommend you try The Coroners Toolkit (TCT): http://www.porcupine.org/forensics/tct.html Take a look at "Help! Someone has broken into my system!' http://www.fish.com/tct/help-when-broken-into ..at the bottom of the page. Good luck, Joe On Thursday 28 August 2003 08:41 am, jahmon wrote:> I have a server that has been compromised. > I'm running version 4.6.2 > when I do > > >last > > this line comes up in the list. > shutdown ~ Thu Aug 28 05:22 > That was the time the server went down. > There seemed to be some configuration changes. > Some of the files seemed to revert back to default versions > (httpd.conf, resolv.conf) > > Does anyone have a clue what type of exploit they may have used? > Is there anyway I can find out if there are any trojans installed? > > Thanks > > jahmon > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"