Re: I have a problem to my server running under FreeBSD 8.1 p-1 release
Hi, On Saturday 23 June 2012 12:59:26 RetspaN Code wrote: Hello, Yes I'm still have a root access... that is why i right you a letter for a help regarding to this problem on my server which is running freebsd 8.1 p1 release... i did paste the error that i encounter on the server on my first email. this only shows that you have an intruder. It would be close to impossible to diagnose it right from distance. Please help me to fix. Get either a boot 8.3 media or 9.0 and make a fresh install which even overwrites the filesystem. Of course, make a backup of your user data. Use different passwords and - most important - keep the machine offline until the new system is installed. I cannot think of a faster way to get rid of the problem. Erich Thanks Erich, Regards, FredFoxs From: Erich Dollansky er...@alogreentechnologies.com To: RetspaN Code silent24_2...@yahoo.com; freebsd-questions@freebsd.org Sent: Saturday, June 23, 2012 12:21 PM Subject: Re: I have a problem to my server running under FreeBSD 8.1 p-1 release Hi, On Saturday 23 June 2012 09:47:35 RetspaN Code wrote: Hello, Since you all the responsible of freebsd source and updates... Is there you are the only one responsible for the break in. So, what was the problem? anyway to fix my server without re install the system? Oh yes, you can find out what was done with your system and revert all changes. But you must be really sure what you are doing then. And you can do this only as long as you still have root access. Do you still have it? Erich ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: I have a problem to my server running under FreeBSD 8.1 p-1 release
Hi, On Saturday 23 June 2012 13:24:02 RetspaN Code wrote: Hello, Intruder already block, but my problem is the intruder before they get block they load their exploit file to my machine that cause of my machine /usr/src directory is set to read only i can't upload or put any file on that folder saying permission denied. How to repair some of my files are need to update. specially freebsd files. the user intruder can't login anymore to the machine thru terminal using root access coz direct root login access is disabled already. and ttys also set to IS or insecure. So my problem now is this how to fix that issue? so that i can update my server machine to the latest. i want to upgrade my 8.1 to 9.0 it is possible without problem after updates? chmod would be your friend. But you still do not know what kind of software is now running outside of your control. I would not even trust the compiler or even ls anymore on such a system. erich ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: I have a problem to my server running under FreeBSD 8.1 p-1 release
Hi, On Saturday 23 June 2012 13:41:24 RetspaN Code wrote: 49129472 drwxr-x--x 20 root tonyx 512 Jun 5 13:00 .. who belongs to this group? 49134586 -rw-r--r--1 root wheel6206 Jun 13 2010 COPYRIGHT 49134587 -rw-r--r--1 root wheel 442 Jun 13 2010 LOCKS 49134588 -rw-r--r--1 root wheel6659 Jun 13 2010 MAINTAINERS 49134589 -rw-r--r--1 root wheel 12990 Jun 13 2010 Makefile 49134590 -rw-r--r--1 root wheel 42773 Jun 13 2010 Makefile.inc1 49134591 -rw-r--r--1 root wheel 230253 Jun 13 2010 ObsoleteFiles.inc 49134592 -rw-r--r--1 root wheel3087 Jun 13 2010 README 49134593 -rw-r--r--1 root wheel 69779 Sep 20 2010 UPDATING 49698048 drwxr-xr-x 40 root wheel1024 Oct 28 2010 bin 49133812 -rw-r--r--1 root wheel 443 May 28 2011 bind.patch 49133815 -rw-r--r--1 root wheel 185 May 28 2011 bind.patch.asc 49134439 -rw-r--r--1 root wheel2832 Dec 23 2011 bind8.patch 49133792 -rw-r--r--1 root wheel 885 Sep 20 2010 bzip2.patch What are those files doing here? 49698539 drwxr-xr-x8 root wheel 512 Oct 28 2010 cddl 49133586 -rw-r--r--1 root wheel6549 Dec 23 2011 chroot8.patch Again ... 49959740 drwxr-xr-x 208 root wheel4096 Jun 2 20:13 usr.sbin The access rights seem all to be right. CyberTech# ls -lia /usr/ total 592 49129472 drwxr-x--x 20 root tonyx 512 Jun 5 13:00 . 2 drwx--x--x 23 root wheel 512 Jun 18 21:45 .. 49133557 lrwxr-xr-x 1 root tonyx 10 Oct 31 2010 X11R6 - /usr/local 49129473 drwxr-xr-x 2 root 1001 7680 Jun 18 21:40 bin 49626757 drwxr-xr-x 2 root wheel 512 Oct 28 2010 compat 49653185 drwxr-xr-x 24 root wheel1024 Oct 28 2010 doc 49626758 drwxr-xr-x 2 root wheel 512 Oct 28 2010 games 49270825 drwx--x--x 10 root wheel 512 Jun 22 05:01 home I would use 755 for home. You can keep here wheel as the group. 49129474 drwxr-xr-x 47 root 1001 5120 Oct 28 2010 include 49129475 drwxr-xr-x 6 root 100111776 May 30 21:17 lib 49129476 drwxr-xr-x 5 root 1001 512 Jul 18 2010 libdata 49129477 drwxr-xr-x 5 root 1001 1536 Dec 28 05:45 libexec What was group 1001? In /usr all should be owned by wheel. 49129478 drwxr-xr-x 18 root wheel 512 May 31 22:21 local 49626759 drwxr-xr-x 3 root wheel 512 Oct 28 2010 obj 49176576 drwx--x--x 69 root wheel1536 Nov 5 2010 ports I would not set the access rights like this for ports but it should be no harm. Do you know why it is like this? 49158174 drwx--x--x 3 root tonyx 512 May 20 07:56 rscr 49134479 -rw-r--r-- 1 root tonyx 517120 Jun 5 13:00 rscr.tar What is group tonyx? 49129481 drwx-- 22 root wheel1024 Jan 7 02:27 src The same as ports. 49698045 drwxr-xr-x 5 root wheel 512 Oct 28 2010 sup 49155246 drwxr-xr-x 2 root tonyx 512 Oct 28 2010 uscr Why is there a uscr there? CyberTech# It seems that your are from a small island. Can you help me Sir to find out what is going on in my machine. It will be difficult to fix this from distance! Erich ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: I have a problem to my server running under FreeBSD 8.1 p-1 release
Hi, On Saturday 23 June 2012 14:20:58 RetspaN Code wrote: That was before. and i notice most of files on / directory is not own by wheel group. :( i try to chown but still not done. can u tell me why that happen? all in / has to be owned by root:wheel. Who else has had root access and might have left the company since then? Erich Thanks! Erich Regards, FredFoxs From: Erich Dollansky erichfreebsdl...@ovitrap.com To: RetspaN Code silent24_2...@yahoo.com; freebsd-questions@freebsd.org Sent: Saturday, June 23, 2012 3:02 PM Subject: Re: I have a problem to my server running under FreeBSD 8.1 p-1 release Hi, On Saturday 23 June 2012 13:41:24 RetspaN Code wrote: 49129472 drwxr-x--x 20 root tonyx 512 Jun 5 13:00 .. who belongs to this group? 49134586 -rw-r--r--1 root wheel6206 Jun 13 2010 COPYRIGHT 49134587 -rw-r--r--1 root wheel 442 Jun 13 2010 LOCKS 49134588 -rw-r--r--1 root wheel6659 Jun 13 2010 MAINTAINERS 49134589 -rw-r--r--1 root wheel 12990 Jun 13 2010 Makefile 49134590 -rw-r--r--1 root wheel 42773 Jun 13 2010 Makefile.inc1 49134591 -rw-r--r--1 root wheel 230253 Jun 13 2010 ObsoleteFiles.inc 49134592 -rw-r--r--1 root wheel3087 Jun 13 2010 README 49134593 -rw-r--r--1 root wheel 69779 Sep 20 2010 UPDATING 49698048 drwxr-xr-x 40 root wheel1024 Oct 28 2010 bin 49133812 -rw-r--r--1 root wheel 443 May 28 2011 bind.patch 49133815 -rw-r--r--1 root wheel 185 May 28 2011 bind.patch.asc 49134439 -rw-r--r--1 root wheel2832 Dec 23 2011 bind8.patch 49133792 -rw-r--r--1 root wheel 885 Sep 20 2010 bzip2.patch What are those files doing here? 49698539 drwxr-xr-x8 root wheel 512 Oct 28 2010 cddl 49133586 -rw-r--r--1 root wheel6549 Dec 23 2011 chroot8.patch Again ... 49959740 drwxr-xr-x 208 root wheel4096 Jun 2 20:13 usr.sbin The access rights seem all to be right. CyberTech# ls -lia /usr/ total 592 49129472 drwxr-x--x 20 root tonyx 512 Jun 5 13:00 . 2 drwx--x--x 23 root wheel 512 Jun 18 21:45 .. 49133557 lrwxr-xr-x 1 root tonyx 10 Oct 31 2010 X11R6 - /usr/local 49129473 drwxr-xr-x 2 root 1001 7680 Jun 18 21:40 bin 49626757 drwxr-xr-x 2 root wheel 512 Oct 28 2010 compat 49653185 drwxr-xr-x 24 root wheel1024 Oct 28 2010 doc 49626758 drwxr-xr-x 2 root wheel 512 Oct 28 2010 games 49270825 drwx--x--x 10 root wheel 512 Jun 22 05:01 home I would use 755 for home. You can keep here wheel as the group. 49129474 drwxr-xr-x 47 root 1001 5120 Oct 28 2010 include 49129475 drwxr-xr-x 6 root 100111776 May 30 21:17 lib 49129476 drwxr-xr-x 5 root 1001 512 Jul 18 2010 libdata 49129477 drwxr-xr-x 5 root 1001 1536 Dec 28 05:45 libexec What was group 1001? In /usr all should be owned by wheel. 49129478 drwxr-xr-x 18 root wheel 512 May 31 22:21 local 49626759 drwxr-xr-x 3 root wheel 512 Oct 28 2010 obj 49176576 drwx--x--x 69 root wheel1536 Nov 5 2010 ports I would not set the access rights like this for ports but it should be no harm. Do you know why it is like this? 49158174 drwx--x--x 3 root tonyx 512 May 20 07:56 rscr 49134479 -rw-r--r-- 1 root tonyx 517120 Jun 5 13:00 rscr.tar What is group tonyx? 49129481 drwx-- 22 root wheel1024 Jan 7 02:27 src The same as ports. 49698045 drwxr-xr-x 5 root wheel 512 Oct 28 2010 sup 49155246 drwxr-xr-x 2 root tonyx 512 Oct 28 2010 uscr Why is there a uscr there? CyberTech# It seems that your are from a small island. Can you help me Sir to find out what is going on in my machine. It will be difficult to fix this from distance! Erich ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: I have a problem to my server running under FreeBSD 8.1 p-1 release
Hi, On Saturday 23 June 2012 14:44:18 RetspaN Code wrote: I did own now by root:wheel but now i'm under on ddos attack. :( but still not yet done the exploit not yet remove. too lag my server due to ddos attack. the server must be off-line if you want to have the tiniest chance to get it back again. Erich ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: I have a problem to my server running under FreeBSD 8.1 p-1 release
Hi, On Saturday 23 June 2012 15:33:45 RetspaN Code wrote: also this 14417 ?? Ss 0:00.02 /bin/sh - /usr/sbin/periodic daily 14425 ?? I 0:00.04 /bin/sh - /usr/sbin/periodic daily as long it is online, there is a very, very low chance to get anything done. And even when it is taken off-line, it will be difficult to stop all the programs in one go. This machine does not look good. Erich ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: I have a problem to my server running under FreeBSD 8.1 p-1 release
Hi, On Saturday 23 June 2012 09:47:35 RetspaN Code wrote: Hello, Since you all the responsible of freebsd source and updates... Is there you are the only one responsible for the break in. So, what was the problem? anyway to fix my server without re install the system? Oh yes, you can find out what was done with your system and revert all changes. But you must be really sure what you are doing then. And you can do this only as long as you still have root access. Do you still have it? Erich ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
I have a problem!
I'm using FreeBSD 4.10-RELEASE with two systems. Both have VIA chipsets - the older KT133A (my parents' home) and the newer KM266 (my home). For both of them I've compiled specific kernels, with ACPI support. KT133A works perfectly - no errors, warnings or anything of this kind. With KM266 there is a problem: fdc0 is NOT detected, for the kernel cannot reserve I/O ports. With ACPI disabled, on the other hand, USB subsytem reports various errors - restarting one or more ports, then giving up with controller configuration. The GENERIC kernel you provide works well when apm0 is off (the ASROCK MB I use has only ACPI), but it has no ACPI support. What can I do (in order to have ACPI, fdc0 and USB working well)? Thank you. Vlad Tudorache, [EMAIL PROTECTED] Home, no matter how far... http://www.home.ro ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I have a problem!
On Sun, Jul 25, 2004 at 08:38:52AM -, Vlad Tudorache wrote: I'm using FreeBSD 4.10-RELEASE with two systems. Both have VIA chipsets - the older KT133A (my parents' home) and the newer KM266 (my home). For both of them I've compiled specific kernels, with ACPI support. KT133A works perfectly - no errors, warnings or anything of this kind. With KM266 there is a problem: fdc0 is NOT detected, for the kernel cannot reserve I/O ports. With ACPI disabled, on the other hand, USB subsytem reports various errors - restarting one or more ports, then giving up with controller configuration. The GENERIC kernel you provide works well when apm0 is off (the ASROCK MB I use has only ACPI), but it has no ACPI support. What can I do (in order to have ACPI, fdc0 and USB working well)? [ Format recovered, as Greg says. Pressing the return key is good for your Karma] Other than waiting patiently, I don't think that there is actually a good solution to this problem right now. Turning on ACPI support kills access to the floppy drive on quite a few motherboards and for most available system versions. There was this thread on [EMAIL PROTECTED] quite recently, which offers a glimmer of hope that a fix is on the horizon, but no indication when, or indeed, if, anything will be MFC's to 4.x: http://lists.freebsd.org/pipermail/freebsd-current/2004-June/028938.html Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgppt8FVQVBRR.pgp Description: PGP signature