Looking for FreeBSD Help - GoFuckYourself.com

Boozer · 08-14-2007, 07:23 PM

Long story short. It appears someone compromised my server and replaced some vital command files ( ls netstat ps du find killall pstree top vdir whereis) to Linux versions.

Does anyone have FreeBSD copies of these files they could send me?

I am hoping to replace these files and begin some sort of investigation and not have to do a OS reload..

Any other possible suggestions?

Thanks

cashbot · 08-14-2007, 07:47 PM

If the server is compromised then you don't have any other option except to format the drive and reinstall, hope you have good backups. You can't trust anything your server tells you, there could be backdoors anywhere.

Boozer · 08-14-2007, 07:49 PM

Quote:

Originally Posted by cashbot

If the server is compromised then you don't have any other option except to format the drive and reinstall, hope you have good backups. You can't trust anything your server tells you, there could be backdoors anywhere.

I will take my chances.. Awful hard to start anywhere when I cant even see what proccess are running

Intricate · 08-14-2007, 07:50 PM

hey i can help you out if you want... contact me on ICQ.

cashbot · 08-14-2007, 07:51 PM

that's why hackers install their own versions of ps, lsof etc... So they can hide the haxor processes they have running.

split_joel · 08-14-2007, 08:18 PM

Quote:

Originally Posted by Boozer

Long story short. It appears someone compromised my server and replaced some vital command files ( ls netstat ps du find killall pstree top vdir whereis) to Linux versions.

Does anyone have FreeBSD copies of these files they could send me?

I am hoping to replace these files and begin some sort of investigation and not have to do a OS reload..

Any other possible suggestions?

Thanks

You really should do a reinstall.

pornpf69 · 08-14-2007, 08:32 PM

format everything...and re install the OS...

rowan · 08-14-2007, 08:34 PM

Here's another hand for reinstalling from scratch. Restore data, not executables.

Boozer · 08-14-2007, 08:56 PM

Thanks for the replies.

I agree with an OS reload.

But I would like to at least try and look into the issue before I go through with a re-install.

Without the proper tools I cant see ANYTHING

rowan · 08-14-2007, 09:20 PM

You need more than people to send you replacement files, get expert help so you can be sure it's not going to happen again.

mikesouth · 08-14-2007, 09:33 PM

I was a UNIX admin for NASA Im gonna tell you like it is man.

FORMAT and reinstall PERIOD

you are fucked if you dont

and afterwards make sure your security is audited by a real UNIX admin

rowan · 08-14-2007, 11:46 PM

Quote:

Originally Posted by mikesouth

I was a UNIX admin for NASA Im gonna tell you like it is man.

FORMAT and reinstall PERIOD

you are fucked if you dont

and afterwards make sure your security is audited by a real UNIX admin

Better to do it the other way around so it doesn't happen again. Security guy looks at the server now, figures out what went wrong, reinstalls and applies necessary patches.

tASSy · 08-14-2007, 11:50 PM

total reinstall. it's the only way to be sure if your entire server is compromised.

darksoul · 08-15-2007, 12:35 AM

Your server must've been really old because its not such a piece of cake
to get root on a freebsd server.
You probably had some 4.x, I would reinstall with a newer version of the os
and have the server locked down by someone who knows what he's doing.

08-14-2007, 07:23 PM	#1
Boozer So Fucking Banned Join Date: Feb 2005 Posts: 3,134	Looking for FreeBSD Help Long story short. It appears someone compromised my server and replaced some vital command files ( ls netstat ps du find killall pstree top vdir whereis) to Linux versions. Does anyone have FreeBSD copies of these files they could send me? I am hoping to replace these files and begin some sort of investigation and not have to do a OS reload.. Any other possible suggestions? Thanks

08-14-2007, 07:50 PM	#4
Intricate Confirmed User Join Date: Jun 2007 Location: Quebec City, Quebec Posts: 133	hey i can help you out if you want... contact me on ICQ. __________________ chesterbanksphp [.at.] gmail.com icq: 350 656 495

08-14-2007, 08:32 PM	#7
pornpf69 Too lazy to set a custom title Join Date: Jun 2004 Location: Brasil Posts: 15,778	format everything...and re install the OS... __________________ Do you need cheap, fast and reliable porn website hosting? Host Head is the way to go!! Asian Gay Special \| Live on MSN - Live Webcam Chat \| Live Adult Webcam Performances \| MY SWEET BLACKS LIVE ON CAM Cash X \| OK Pay \| Pukka Ropes \| Pukka Fetish \| STRAPED BLOG \| Male Bound and Fucked Pukka Tranny \| Tattooed Shemales \| She's A He \| Menu Porno \| Porn Performances \| All Chubby MY ICQ# 169833797

08-14-2007, 09:33 PM	#11
mikesouth Confirmed User Industry Role: Join Date: Jun 2003 Location: My High Horse Posts: 6,334	I was a UNIX admin for NASA Im gonna tell you like it is man. FORMAT and reinstall PERIOD you are fucked if you dont and afterwards make sure your security is audited by a real UNIX admin __________________ Mike South It's No wonder I took up drugs and alcohol, it's the only way I could dumb myself down enough to cope with the morons in this biz.

08-14-2007, 11:50 PM	#13
tASSy Spread The Pink! Join Date: Nov 2004 Location: pinktown! Posts: 8,229	total reinstall. it's the only way to be sure if your entire server is compromised. __________________ tassyPINK ICQ ~ 318097066 *

08-14-2007, 07:47 PM	#2
cashbot So Fucking Banned Join Date: Apr 2007 Posts: 325	If the server is compromised then you don't have any other option except to format the drive and reinstall, hope you have good backups. You can't trust anything your server tells you, there could be backdoors anywhere.

08-14-2007, 07:51 PM	#5
cashbot So Fucking Banned Join Date: Apr 2007 Posts: 325	that's why hackers install their own versions of ps, lsof etc... So they can hide the haxor processes they have running.

08-14-2007, 08:34 PM	#8
rowan Too lazy to set a custom title Join Date: Mar 2002 Location: Australia Posts: 17,393	Here's another hand for reinstalling from scratch. Restore data, not executables.

08-14-2007, 08:56 PM	#9
Boozer So Fucking Banned Join Date: Feb 2005 Posts: 3,134	Thanks for the replies. I agree with an OS reload. But I would like to at least try and look into the issue before I go through with a re-install. Without the proper tools I cant see ANYTHING

08-14-2007, 09:20 PM	#10
rowan Too lazy to set a custom title Join Date: Mar 2002 Location: Australia Posts: 17,393	You need more than people to send you replacement files, get expert help so you can be sure it's not going to happen again.

08-15-2007, 12:35 AM	#14
darksoul Confirmed User Join Date: Apr 2002 Location: /root/ Posts: 4,997	Your server must've been really old because its not such a piece of cake to get root on a freebsd server. You probably had some 4.x, I would reinstall with a newer version of the os and have the server locked down by someone who knows what he's doing. __________________ 1337 5y54\|)m1n: 157717888 BM-2cUBw4B2fgiYAfjkE7JvWaJMiUXD96n9tN Cambooth