On Tue, Mar 09, 2004 at 02:56:15AM +0800, re re wrote: > hello > despite having ipfilter blocking all ports except 80 21 and 22, tripwire, and > scoring 999999 in nmap, my website got defaced. > the box is currently unplugged. i wanted to know what is the best way to find out > who did it and how they got in, and what to do from here. tripwire shows a lot of > files changed, most of which could be attributed to cvsup'ing recently. any other > security precautions to take disaster recovery guides? i've already changed p/w's > on my other boxes.
Dear Re, Could you please cut you text so that the lines are less then 72 char. I'm on a console and this does read a bit difficult. What you could do to make you box more secure: - Run portsentry - Run a jail Whow you can find out how they broke in and who they are? - The log files whould be your first clue. However this could be modified by the cracker. - Check changes in tripwire - Look for strange files - Check what programs are started - Check of security compremisses. - Check if any backdoors where installed. -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/ _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"