On 15/02/10 11:13, Dr. Jennifer Nussbaum wrote:
Hi. I have an up-to-date FreeBSD 7.2 box that has been compromised. Someone
aparently got in to an account with certain admin priveleges and has been
sending spam.
I disabled the account, shut off my MTA and used pf to block all traffic to
port 25 out for good measure.
How do i analyse what might have happened and what has been installed?
Andis there anything to do other than rebuild the entire system to ensure that
its clean?
If the attacker had privileged access then he may have got a copy of
master.password, you should assume all accounts compromised, if user
data are shared with other servers, then all should be considered
compromised.
Blocking certain access say port 25 is insufficient. You should get it
off the net until you are sure the system is clean as the attacker may
have installed some daemon that communicates on a non-standard port.
If you had things like tripwire installed you could get an idea of files
modified. Otherwise you can use find to create a list of files modified
since the attack, but this is only useful insofar as the attacker did
not bother to reset access or modification times.
It may be faster to rebuild everything rather than trying to figure out
what may have been modified, if your main concern is to get the system
back up rather than investigate the incident.
BR, Erik
--
Erik Nørgaard
Ph: +34.666334818/+34.915211157 http://www.locolomo.org
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[email protected]"
