On Tue, Mar 09, 2004 at 02:56:15AM +0800, re re wrote:
> hello
> despite having ipfilter blocking all ports except 80 21 and 22, tripwire, and 
> scoring 999999 in nmap, my website got defaced.
> the box is currently unplugged.  i wanted to know what is the best way to find out 
> who did it and how they got in, and what to do from here.  tripwire shows a lot of 
> files changed, most of which could be attributed to cvsup'ing recently.  any other 
> security precautions to take disaster recovery guides?  i've already changed p/w's 
> on my other boxes.

Dear Re,

Could you please cut you text so that the lines are less then 72 char.
I'm on a console and this does read a bit difficult.

What you could do to make you box more secure:
- Run portsentry
- Run a jail

Whow you can find out how they broke in and who they are?
- The log files whould be your first clue. However this could be
  modified by the cracker.
- Check changes in tripwire
- Look for strange files
- Check what programs are started
- Check of security compremisses.
- Check if any backdoors where installed.


Articles based on solutions that I use:
[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to