On 15/04/10 00:56, Steve Franks wrote:
I don't have bsdstats or similar that I'm aware of installed, so this
smells bad:
Firewall is showing repeated attempts from your FreeBSD machine to
connect to port 25 (standard SMTP mail port) on a server in Belgium. This
implies something on your system i
On 2010.04.14 18:56, Steve Franks wrote:
> I don't have bsdstats or similar that I'm aware of installed, so this
> smells bad:
You have an incredibly poor sense of smell.
> Firewall is showing repeated attempts from your FreeBSD machine to
> connect to port 25 (standard SMTP mail port) on a serve
: ADSL-GO-PLUS
> descr: Belgacom ISP SA/NV
> country: BE
>
> Where would I start sniffing around as far as what got put on my box?
>
> Steve
I've seen "hacked" boxes due to insecure services offered to the
public Internet have scr
Hi--
On Apr 14, 2010, at 3:56 PM, Steve Franks wrote:
> I don't have bsdstats or similar that I'm aware of installed, so this
> smells bad:
>
> Firewall is showing repeated attempts from your FreeBSD machine to
> connect to port 25 (standard SMTP mail port) on a server in Belgium. This
> implies
I don't have bsdstats or similar that I'm aware of installed, so this
smells bad:
Firewall is showing repeated attempts from your FreeBSD machine to
connect to port 25 (standard SMTP mail port) on a server in Belgium. This
implies something on your system is trying to send mail out.
[14/Apr/2010
Aflatoon Aflatooni escreveu:
I found a script in /tmp directory which could have been uploaded using php or
Java.
How would they execute the code in /tmp directory?
Thanks
You can execute files from scripts or from apache itself when they are
scripts.
There are several programming/scriptin
Sent: Tuesday, September 22, 2009 8:51:05 AM
Subject: Re: FreeBSD 6.3 installation hacked
Aflatoon Aflatooni escreveu:
> My server installation of FreeBSD 6.3 is hacked and I am trying to find out
> how they managed to get into my Apache 2.0.61.
> This is what I see in my http error
On Tue, 2009-09-22 at 05:01 -0700, Aflatoon Aflatooni wrote:
> My server installation of FreeBSD 6.3 is hacked and I am trying to find out
> how they managed to get into my Apache 2.0.61.
>
> This is what I see in my http error log:
>
> [Mon Sep 21 02:00:01 2009] [noti
Aflatoon Aflatooni escreveu:
My server installation of FreeBSD 6.3 is hacked and I am trying to find out how they managed to get into my Apache 2.0.61.
This is what I see in my http error log:
[Mon Sep 21 02:00:01 2009] [notice] caught SIGTERM, shutting down
[Mon Sep 21 02:00:14 2009] [notice
My server installation of FreeBSD 6.3 is hacked and I am trying to find out how
they managed to get into my Apache 2.0.61.
This is what I see in my http error log:
[Mon Sep 21 02:00:01 2009] [notice] caught SIGTERM, shutting down
[Mon Sep 21 02:00:14 2009] [notice] Apache/2.0.61 (FreeBSD) PHP
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Brent
> Sent: August 11, 2007 7:21 AM
> To: [EMAIL PROTECTED]
> Subject: server was hacked
>
> Im running FBSD 5.4 as a web server the server is behind a
> cisco fire
On Sat, Aug 11, 2007 at 07:20:31AM -0400, Brent wrote:
> a compromised mambo site. after getting rid of the program I changed
> our router to disallow this type of traffic..& started trying to fix
> the box. Im pretty sure that root wasnt compromised but im going to
> re-install anyway. my question
On Sat, 11 Aug 2007 13:54:29 +0200
"Heiko Wundram (Beenic)" <[EMAIL PROTECTED]> wrote:
>
> > On FBSD how do you checksum binaries on the system to ensure someone hasnt
> > replaced one with there own binary.
>
> Install security/tripwire and configure properly.
Note that tripwire isn't the only
Brent wrote:
, HOw excatly are they getting in ?
what are the things I can do to prevent this. On FBSD how do you checksum
binaries on the system to ensure someone hasnt replaced one with there own
binary.
Do yourself a favor and buy the book
BSD Hacks
by
Dru Lavigne
O'Reilly Media
ISBN 0-596
:29 PM
Subject: Re: server was hacked
Am Samstag 11 August 2007 13:20:31 schrieb Brent:
> Im running FBSD 5.4 as a web server the server is behind a cisco firewall
> /router and the server has alot of CMS jumila / mambo sites on it. I
> noticed that when i ran sockstat i was seeing multiple I
Am Samstag 11 August 2007 13:20:31 schrieb Brent:
> Im running FBSD 5.4 as a web server the server is behind a cisco firewall
> /router and the server has alot of CMS jumila / mambo sites on it. I
> noticed that when i ran sockstat i was seeing multiple IPs connected to
> high ports on the server w
Im running FBSD 5.4 as a web server the server is behind a cisco firewall
/router and the server has alot of CMS jumila / mambo sites on it. I noticed
that when i ran sockstat i was seeing multiple IPs connected to high ports on
the server with a process id of "psybnc" . Did some looking around & f
didn't show any compatibility files up. (In particular, no
'
> linux.ko'; I have loaded that module on the qemu version to see if I
could
> get further.)
> - In my qemu freeBSD, under the jail, neither program runs either as
root or
> as the hacked user:
> - $HOME/
he 9th, I've only seen one set of blatant/brute-force attempt
at my ssh server. It's interesting, but the major drop in attempts has
me more worried than the attempts (could this drop off be because they
no longer need to hack me? Could they have hacked me an that be the
reason why?)
How wor
know if
> the 'miro' rootkit was successful or not. I'm crossing my fingers that it
> wasn't, and trying to investigate a bit what it does. "kldstat" on the
> hosted server didn't show any compatibility files up. (In particular, no '
> linux
Jim Stapleton wrote:
I have DSA. I will change it to a nonstandard port, but I was
wondering what your oppinion on a good way to check if this is the
result of me being hacked, or just someone loosing interest.
If you are hacked, then something might or might not be going on your
system
Jim Stapleton schrieb:
I have DSA. I will change it to a nonstandard port, but I was
wondering what your oppinion on a good way to check if this is the
result of me being hacked, or just someone loosing interest.
Well, I think the latter. If you have an up-to-date system with
up-to-date
CEPT local
>
> As of the 9th, I've only seen one set of blatant/brute-force attempt
> at my ssh server. It's interesting, but the major drop in attempts has
> me more worried than the attempts (could this drop off be because they
> no longer need to hack me? Could they have
I have DSA. I will change it to a nonstandard port, but I was
wondering what your oppinion on a good way to check if this is the
result of me being hacked, or just someone loosing interest.
On 4/14/07, Gabor Kovesdan <[EMAIL PROTECTED]> wrote:
Jim Stapleton schrieb:
> Once I opened
at my ssh server. It's interesting, but the major drop in attempts has
me more worried than the attempts (could this drop off be because they
no longer need to hack me? Could they have hacked me an that be the
reason why?)
How worried should I be, and what's the best recourse for this?
It's interesting, but the major drop in attempts has
me more worried than the attempts (could this drop off be because they
no longer need to hack me? Could they have hacked me an that be the
reason why?)
How worried should I be, and what's the best recourse for this?
Thanks,
't, and trying to investigate a bit what it does. "kldstat" on the
hosted server didn't show any compatibility files up. (In particular, no '
linux.ko'; I have loaded that module on the qemu version to see if I could
get further.)
- In my qemu freeBSD, under the jail, neit
Don O'Neil wrote:
A customer of mine recently had their web site hacked and the index file
defaced by Milli-Harekat...
http://www.zone-h.org/en/search/what=Milli-Harekat.Org/
Does anyone know the exploit used for this and where to find out about
fixing it? I have a feeling it's a b
Don O'Neil wrote:
A customer of mine recently had their web site hacked and the index file
defaced by Milli-Harekat...
http://www.zone-h.org/en/search/what=Milli-Harekat.Org/
Does anyone know the exploit used for this and where to find out about
fixing it? I have a feeling it's a b
A customer of mine recently had their web site hacked and the index file
defaced by Milli-Harekat...
http://www.zone-h.org/en/search/what=Milli-Harekat.Org/
Does anyone know the exploit used for this and where to find out about
fixing it? I have a feeling it's a brute force attack of some
Frank Steinborn wrote on 30-04-2006 22:58:
> boink wrote:
>
>> Dear FreeBSD,
>>
>> I see outbound packets from udp/55613, one every 5 seconds, to a
>> single non-routable (10) IP, with destination port increasing by 1
>> with each packet, with expected ICMP Destination net unreachables from
At 01:52 PM 4/30/2006, boink wrote:
Dear FreeBSD,
I see outbound packets from udp/55613, one every 5 seconds, to a
single non-routable (10) IP, with destination port increasing by 1
with each packet, with expected ICMP Destination net unreachables from
an upstream router.
AFAIK, there's no
boink wrote:
> Dear FreeBSD,
>
> I see outbound packets from udp/55613, one every 5 seconds, to a
> single non-routable (10) IP, with destination port increasing by 1
> with each packet, with expected ICMP Destination net unreachables from
> an upstream router.
>
> AFAIK, there's no reason fo
Dear FreeBSD,
I see outbound packets from udp/55613, one every 5 seconds, to a
single non-routable (10) IP, with destination port increasing by 1
with each packet, with expected ICMP Destination net unreachables from
an upstream router.
AFAIK, there's no reason for this and I don't like it -
all though)
When I "used" my FreeBSD gateway as an smtp server to convince myself I had
been hacked, the smtp connection was somehow redirected to one of my
institution's mail servers (or at least that's what gmail's mail headers are
saying). Funny enough the same trick no l
D gateway as an smtp server to convince myself I had
been hacked, the smtp connection was somehow redirected to one of my
institution's mail servers (or at least that's what gmail's mail headers are
saying). Funny enough the same trick no longer works today, but then they're
On Wed, Jan 18, 2006 at 05:38:50PM +0200, Kilian Hagemann wrote:
> On Wednesday 18 January 2006 16:25, Will Maier pondered:
> > On Wed, Jan 18, 2006 at 03:56:32PM +0200, Kilian Hagemann wrote:
> > > I have never even heard of "frox" before, but after some
> > > googling it turns out that it's a GPL
On Wednesday 18 January 2006 17:13, [EMAIL PROTECTED] pondered:
> sendmail_enable="NONE" would do the same as all that other crap mentioned
> i find it a waste of time trying to figure out how a hacker got in just
> format the machine reinstall freebsd and secure the box up a bit and try
> updating
On Wednesday 18 January 2006 16:25, Will Maier pondered:
> On Wed, Jan 18, 2006 at 03:56:32PM +0200, Kilian Hagemann wrote:
> > I have never even heard of "frox" before, but after some googling
> > it turns out that it's a GPL'ed transparent ftp proxy...
>
> Where's it pointing?
No idea, I only we
sendmail_enable="NONE" would do the same as all that other crap mentioned
i find it a waste of time trying to figure out how a hacker got in just
format the machine reinstall freebsd and secure the box up a bit and try
updating it when vulnerabilitie are out. And this shouldnt happen again
>> Also
Also, I said smtp ports were open on the machines in question, I just verified
that I can send emails via BOTH these systems even though no
sendmail/exim/whatever was ever installed by me and sendmail_enable="None" on
both.
For what it's worth, to disable senmail on 5.0 and later, you need:
s
On Wed, Jan 18, 2006 at 03:56:32PM +0200, Kilian Hagemann wrote:
> I have never even heard of "frox" before, but after some googling
> it turns out that it's a GPL'ed transparent ftp proxy...
Where's it pointing?
> Also, I said smtp ports were open on the machines in question, I
> just verified t
On Wednesday 18 January 2006 14:34, Ken Stevenson pondered:
> Is there any chance you have a router that's forwarding the ports
> in question to another computer?
Not that I know of. The setup is quite simple:
wireless ethernet(PPPoE) ethernet
ISP<--->Modem<-->
On Wed, Jan 18, 2006 at 11:29:38AM +0200, Kilian Hagemann wrote:
> On Tuesday 17 January 2006 19:27, Micheal Patterson pondered:
> > > The 1663 ports scanned but not shown below are in state: filtered)
> > > PORT STATE SERVICE
> > > 80/tcp open http
> > > 554/tcp open rtsp
> > > 1755/tcp o
On Tuesday 17 January 2006 19:27, Micheal Patterson pondered:
> > The 1663 ports scanned but not shown below are in state: filtered)
> > PORT STATE SERVICE
> > 80/tcp open http
> > 554/tcp open rtsp
> > 1755/tcp open wms
> > 5190/tcp open aol
>
> Kilian, what does a sockstat show you on
- Original Message -
From: "Kilian Hagemann" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, January 17, 2006 11:07 AM
Subject: Have I been hacked or is nmap wrong?
Hi there,
I'm managing two FreeBSD based gateways, one running 5.2.1-RELEASE and the
other 5.3-STABLE,
27;t noticed anything different on the servers themselves and neither
> can
> I detect these open ports on the machine itself (using lsof -i :1-65535 or
> netstat). I also haven't noticed any abnormal traffic volumes originating
> from them.
>
> So, have I been hacked and
ormal traffic volumes originating
from them.
So, have I been hacked and rootkitted? Or is nmap simply lying to me?
I've been subscribed to freebsd-announce and thus seen all SA's to date, but
none of them are relevant to any of my setups.
--
Kilian Hagemann
Climate Systems Analysi
EMAIL PROTECTED] Behalf Of Brett Glass
>Sent: Sunday, July 10, 2005 11:26 AM
>To: Ted Mittelstaedt; [EMAIL PROTECTED]
>Subject: RE: Has this box been hacked?
>
>
>The person who set the system up did not leave on bad terms.
>However, before taking the system down and setting it
The person who set the system up did not leave on bad terms.
However, before taking the system down and setting it up
from scratch (and charging them to do so) I'd like to know
if anyone is aware of whether what I saw is common on boxes
that have been rooted. Is that "shutdown" entry cause for
conc
When I am in that same position as a rule I tell the customer
that I would assume the system was rooted.
The reason is that all of the times I've been called in on
this type of job it has been because the previous admin was
fired and they wanted to make sure he wasn't getting back
in remotely and
gt; >Give us a list of services this box is running and we can give
> >you a better idea of how easy it might be to root.
> >
> >Ted
> >
> >>-Original Message-
> >>From: [EMAIL PROTECTED]
> >>[mailto:[EMAIL PROTECTED] Behalf Of Brett Glass
> >
At 05:32 PM 7/7/2005, J65nko BSD wrote:
>If you would have installed something like tripwire or aide, you would have
>been in a better position to find out whether the box has been owned.
I didn't build the machine.
--Brett Glass
___
freebsd-questi
unning and we can give
>you a better idea of how easy it might be to root.
>
>Ted
>
>>-Original Message-
>>From: [EMAIL PROTECTED]
>>[mailto:[EMAIL PROTECTED] Behalf Of Brett Glass
>>Sent: Wednesday, July 06, 2005 9:42 AM
>>To: [EMAIL PROTECTED]
On 7/6/05, Brett Glass <[EMAIL PROTECTED]> wrote:
>
> A client had a network problem, and I wanted to make sure that his FreeBSD
> 4.11
> router wasn't the cause of it, so I rebooted it. I then did a "last"
> command
> and saw the following:
>
> root ttyv0 Tue Jul 5 12:01 - 12:05 (00:04)
> admi
t;Sent: Wednesday, July 06, 2005 9:42 AM
>To: [EMAIL PROTECTED]
>Subject: Has this box been hacked?
>
>
>A client had a network problem, and I wanted to make sure that
>his FreeBSD 4.11
>router wasn't the cause of it, so I rebooted it. I then did a
>"last" c
A client had a network problem, and I wanted to make sure that his FreeBSD 4.11
router wasn't the cause of it, so I rebooted it. I then did a "last" command
and saw the following:
root ttyv0 Tue Jul 5 12:01 - 12:05 (00:04)
adminttyp0localhost
26.102.33:57216 flags:0x02
> Connection attempt to UDP 192.168.1.101:1026 from
> 222.88.173.5:31889
> Connection attempt to TCP 192.168.1.101:9898 from
> 67.1.4.194:3161 flags:0x02
These merely indicate connection *attempts*, not actual successful
connections to your machine. They don&#x
Hi all,
I'm using freebsd 4.10 on my laptop and I was browsing
my filesystem and looking at some log files, when I
stumbled into the file dmesg.yesterday in /var/log/
The contents of this file worried me. Take a look at
the last lines of it:
Connection attempt to TCP 192.168.1.101:5554 from
220.
Out of the ether, Mark Jayson Alvarez spewed forth the following bitstream:
>But when I launch the konqueror and typed something
> in the address bar and hit enter, it says Host>
Google, CNN, and a bunch of Akamized services were (are?) having problems
this morning.
Please try your request
ternal modem is working fine.
Question:
Do you have any idea what could have happened with my
pc? I honestly think that I've been hacked and I am
being denied of service. Now, I only have one thing in
my mind... to back up my files and reformat my freebsd
partition.
It could be a DNS issue.
tom which indicates that I have a
successful connection with my isp and they have
provided me with a public ip address.
I'm sending this email to you from Windows and I'm
pretty sure that my external modem is working fine.
Question:
Do you have any idea what could have happened with my
pc? I ho
Hi,
I`m running FreeBSD 5.2.1-p4, I`ve just installed new version of
chkrootkit 0.43 from freshports, and report follows:
Checking `date'... INFECTED
Checking `lkm'... You have 115 process hidden for readdir command
You have23 process hidden for ps command
Warning: Possible LKM Trojan install
Hello,
thanks for the info :), that explains why my 4.9-STABLE was not infected
and 4.10-BETA shows false positives..
But I am still bit unsure why my 5.2.1-RELEASE-p4 (not mentioning one false
positive) stops while checking lkm..
Cheers,
Martin
On Thu, Apr 15,
On Wed, Apr 14, 2004 at 12:29:19PM -0700, Mike wrote:
> Well... I installed and ran chkrootkit. And the output shows that:
>
> Checking `chfn'... INFECTED
> Checking `chsh'... INFECTED
> Checking `date'... INFECTED
> Checking `ls'... INFECTED
> Checking `ps'... INFECTED
>
> No rootkits were foun
Hello all,
On Wed, Apr 14, 2004 at 02:11:34PM -0700 or thereabouts, Mike wrote:
> Jeff Maxwell wrote:
>
> >upgrade your ports. The chkrootkit that ships with 4.9 gives false
> >positives
> >
I'm using chrootkit from fresh ports update (v4.3). Results are as:
System 1 on 4.9-STABLE:
no
On Wed, 14 Apr 2004 16:08:08 +
Daniela <[EMAIL PROTECTED]> wrote:
> > aragorn# ls -l /bin/rcp
> > -r-sr-xr-x 1 root wheel 18392 Feb 23 20:41 /bin/rcp
> >
> > (notice the size!, someone mentioned that already on the list..)
> >
> > So obviously something weird happened.
>
> That needn't be
Jeff Maxwell wrote:
upgrade your ports. The chkrootkit that ships with 4.9 gives false
positives
Jeff:
Thanks for the tip.
I deinstalled the chkrootkit (v-4.1) that came with 4.9. I then
downloaded and installed the most recent version (v-4.3) from the
chkrootkit.org site.
I re-ran chkroot
On Wed, Apr 14, 2004, Mike clacked the keyboard to produce:
> Greetings:
>
> My test system:
> FreeBSD 4.9-stable
> Pentium III 800
>
> I read an earlier post about using chkrootkit to check for root kits
> (intrusions). I'm still learning about FreeBSD so I thought I would run
> this too.
>
Greetings:
My test system:
FreeBSD 4.9-stable
Pentium III 800
I read an earlier post about using chkrootkit to check for root kits
(intrusions). I'm still learning about FreeBSD so I thought I would run
this too.
Well... I installed and ran chkrootkit. And the output shows that:
Checking `chf
On Wed, Apr 14, 2004 at 04:08:08PM +, Daniela wrote:
[ size of the /bin/rcp executable ]
> That needn't be the case. Mine is 932532 bytes long (and it was already that
> size after a fresh reinstall).
> And why? Debug symbols. I love to have them everywhere.
> Try to strip the file, and it w
Hello everyone,
Ok, i am almost certain i've been hacked now. I just checked the system
for some strange accounts or things i didn't recognize. I didn't see
anything in /etc/passwd, /etc/group, /etc/master.passwd, and so forth. I
however ran chkrootkit and got two very di
* Luke Kearney <[EMAIL PROTECTED]> [0459 06:59]:
>
> On Wed, 14 Apr 2004 00:51:06 -0400
> "dave" <[EMAIL PROTECTED]> granted us these pearls of wisdom:
>
> > Hello,
> > Wondering if a system on my network has been hacked?
>
On Wednesday 14 April 2004 09:48, Remko Lodder wrote:
> Dan Strick wrote:
> >> ...
> >>When i got the daily run
> >>output i noticed the setuid files have changed. Wondering if this box got
> >>hacked and if so where to look to confirm this?
> >>
Clint,
I think you misread my message. Did "moving all the accounts and
reinstalling" imply that I didn't do a reinstall? I simply copied over
known original programs so I could make my backup and do some postmortem
before reinstalling the system. As you say, who knows what other
program w
I had someone get into one of my machines when I stupidly left telnet
running and an email from the system much like yours was what first
alerted me to it. The kiddie had installed a new ls which didn't
allow any switches. I imagine '-l' is needed for the suid check, so
it fails and reports
Clint Gilders wrote:
dave wrote:
Hello,
Wondering if a system on my network has been hacked? At approx 12:30
this evening the hard disk went crazy, i have been out of town lately and
have not checked any of the machines, when i did the CPU usage was at 15%
which on this machine it never gets
dave wrote:
Hello,
Wondering if a system on my network has been hacked? At approx 12:30
this evening the hard disk went crazy, i have been out of town lately and
have not checked any of the machines, when i did the CPU usage was at 15%
which on this machine it never gets above 1 maybe 1.5. So
On Apr 14, 2004, at 1:47 AM, Luke Kearney wrote:
On Wed, 14 Apr 2004 00:51:06 -0400
"dave" <[EMAIL PROTECTED]> granted us these pearls of wisdom:
Hello,
Wondering if a system on my network has been hacked? At approx
12:30
this evening the hard disk went crazy, i have been ou
Dan Strick wrote:
...
When i got the daily run
output i noticed the setuid files have changed. Wondering if this box got
hacked and if so where to look to confirm this?
...
Checking setuid files and devices:
ls: Terminated
: No such file or directory
guardian.davemehler.net setuid diffs
>>
>...
> When i got the daily run
> output i noticed the setuid files have changed. Wondering if this box got
> hacked and if so where to look to confirm this?
>...
>
> Checking setuid files and devices:
> ls: Terminated
> : No such file or directory
&g
Hi,
Sorry i should have specified, that's a 4.9 box, with the latest patches
and ports.
Thanks.
Dave.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
On Wed, Apr 14, 2004 at 12:51:06AM -0400, dave wrote:
> Hello,
> Wondering if a system on my network has been hacked? At approx 12:30
> this evening the hard disk went crazy, i have been out of town lately and
> have not checked any of the machines, when i did the CPU usage was at
On Wed, 14 Apr 2004 00:51:06 -0400
"dave" <[EMAIL PROTECTED]> granted us these pearls of wisdom:
> Hello,
> Wondering if a system on my network has been hacked? At approx 12:30
> this evening the hard disk went crazy, i have been out of town lately and
> have not
- Original Message -
From: "dave" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, April 13, 2004 11:51 PM
Subject: have i been hacked?
> Hello,
> Wondering if a system on my network has been hacked? At approx 12:30
> this evening the hard d
Hello,
Wondering if a system on my network has been hacked? At approx 12:30
this evening the hard disk went crazy, i have been out of town lately and
have not checked any of the machines, when i did the CPU usage was at 15%
which on this machine it never gets above 1 maybe 1.5. So i looked
On Tue, Mar 09, 2004 at 02:56:15AM +0800, re re wrote:
> hello
> despite having ipfilter blocking all ports except 80 21 and 22, tripwire, and
> scoring 99 in nmap, my website got defaced.
> the box is currently unplugged. i wanted to know what is the best way to find out
> who did it and ho
At 2004-03-08T18:56:15Z, "re re" <[EMAIL PROTECTED]> writes:
> hello despite having ipfilter blocking all ports except 80 21 and 22,
> tripwire, and scoring 99 in nmap, my website got defaced.
"Despite locking my door to my house, pulling the curtains, and sitting in a
dark living room with a
On Mon, 8 Mar 2004 21:22:24 +0200
Ion-Mihai Tetcu <[EMAIL PROTECTED]> wrote:
> On Sat, 8 Mar 2003 20:02:02 +0100
>
> "Remko Lodder" <[EMAIL PROTECTED]> wrote:
>
> Please set your date right.
>
> tnx
And of course that should have been sent on private. Sorry.
--
IOnu
On Sat, 8 Mar 2003 20:02:02 +0100
"Remko Lodder" <[EMAIL PROTECTED]> wrote:
Please set your date right.
tnx
--
IOnut
Unregistered ;) FreeBSD user
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/
-
Van: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] re re
Verzonden: maandag 8 maart 2004 19:56
Aan: [EMAIL PROTECTED]
Onderwerp: hacked
hello
despite having ipfilter blocking all ports except 80 21 and 22, tripwire,
and scoring 99 in nmap, my website got defaced.
the box is currently unplugge
hello
despite having ipfilter blocking all ports except 80 21 and 22, tripwire, and scoring
99 in nmap, my website got defaced.
the box is currently unplugged. i wanted to know what is the best way to find out who
did it and how they got in, and what to do from here. tripwire shows a lot of
queue (sendmail)
After reboot, I got the above sendmail processes. Was my system hacked by
someone?
---
Lou
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
- Original Message -
From: "Kris Kennaway" <[EMAIL PROTECTED]>
To: "Mark" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, January 21, 2003 6:32 PM
Subject: Re: ftp.apcupsd.com hacked?
On Tue, Jan 21, 2003 at 02:38:43PM +0100, Mark wrote:
rus (Sockets de Trois v1)
> onto my system. :( So much for getting the latest version.
>
> Are they hacked or something??
Why are you asking us?
Anyway, it's just as likely this was a false alarm by your virus scanner.
Kris
msg16205/pgp0.pgp
Description: PGP signature
version.
Are they hacked or something??
- Mark
System Administrator Asarian-host.org
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
96 matches
Mail list logo
