On 01/10/2014 12:33 PM, Stuart Henderson wrote: > On 2014-01-10, agrquinonez <agrquino...@riseup.net> wrote: >> I downloaded it from http://ftp.Openbsd.org; yes, it was checked; >> DokuWiki came from pkg_add; password is never used; i do ssh-copy-id and >> then ssh key + pass-phrase. > > Are password logins *disabled* (and if so, where and how), or do > you just not use them?
yes, sshd_config, password autentication no > How about ftp access, if you're running it, is it anonymous-only > (e.g. ftpd -A) or do regular users have access? yes, ftpd_flags="USA" rc.conf.local > Faced with this type of situation I'd get the machine offline, > put the disk on another (clean) machine - don't boot from it > but mount/duplicate the disk - compare (diff) with a clean > install of things that are supposed to be on it, looking to > see what changes have been made (your config changes, programs > that you may have forgotten about, any files that may have > been brought over by the attacker, log entries, etc), and > look for clues.. > thanks Stuart, it is going to be very useful, if the trap works. For now, i did a clean installation after read logs, and review almost everything. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
