Steve Bertrand <[EMAIL PROTECTED]> wrote:
> Now what I want to do is to just reinstall the whole
> operating system and secure it as possible as I can. Like
> someone told, its just a waste to try to track it down
> because the intruder might be located somewhere on the other
> side of the world.
They are always on the other side of the world...this is the Internet.
If that is your solution, I would recommend reconfiguring your FTP
servers DNS entries, and applying another IP to the box,lest you be
affected again. However, that won't even fix it, becuase it will just be
found again by someone else.
Unplugging the box just informs the attacker that you are aware of them.
Moving the IP just makes people re-locate you. The solution is make the
box accessible to only those who need it...and only the services they
need.
.02 Steve
No, that is not the solution I'm thinking of.. You see right now, that
machine contains at least 200 Gb of important files... I'm just paranoid that
the intruder might just launch an rm -rf. Right now we don't have a backup of
those files yet.
I'm really eager to know how the intruder got into our machine, I'm just
afraid that he might be reading everything I am typing in the terminal. I am
also dissapointed because most of our server configuration files are in my
home directory but doing the ls /tmp.... I found those files. Those files are
our proxy configurations containing all of our peer proxies (ipaddress) and
also the squid.conf which I'm afraid that the intruder can use to launch an
attack to our proxy farm. You see those proxies aren't in a much secure mode
yet but they are the MOST critical service in our company because all of our
partners are passing through that proxies. Now what I really wan't to do is to
just do the right thing but only one by one. I got so many replies, someone
even suggested finding out the irc channel and try to have a little chat with
the intruders. Someone suggested putting up a firewall before it and try to
dump the packets to retrieve relevant informations. I'm
really
so confused right now as to where to start....
Right now, the server is currently inaccessible from the network, but it is
still running( I just remembered someone suggested not shutting it down
because the script the intruder used might get automatically erased).
From there... where should I start.?
Thank you very much.
---------------------------------
Yahoo! FareChase - Search multiple travel sites in one click.
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
