On Wed, Jan 18, 2006 at 03:56:32PM +0200, Kilian Hagemann wrote: > I have never even heard of "frox" before, but after some googling > it turns out that it's a GPL'ed transparent ftp proxy...
Where's it pointing? > Also, I said smtp ports were open on the machines in question, I > just verified that I can send emails via BOTH these systems even > though no sendmail/exim/whatever was ever installed by me and > sendmail_enable="None" on both. What do you see when you connect to the SMTP ports? Are they really mail servers, or just rogue services running on 25? > My servers have been compromised, fantastic. And that with an > initial firewall'ed setup that left NO open ports (I verified that > a while ago with nmap). So much for my impression that FreeBSD was > secure. My condolences; what you describe, though, doesn't really suggest that /FreeBSD/ is insecure. In the vast majority of these situations (and yes, I have found myself in your shoes before), the operator (you or I) is to blame. > How could this have happened? ipfw buffer overflow? Some other > unknown vulnerability? Ockham's razor: the simplest is also the most likely solution. You're running Samba; is there any chance that that service or your configuration of it could have opened a hole? How many people have user accounts on that box? Do you allow ChallengeResponseAuthentication on SSH? Key only? > I really wanna find out how they got in (syslog offers no clues > btw, I've been rootkitted after all :-( You'll need to do a more sophisticated forensic analysis, then, to figure out what happened. Some basic questions: were you running a file integrity monitor? What did it say? Do you have logs that were remotely backed up (and, therefore, likely still accurate)? What do they say? Do you have any network monitoring that might have recorded an intrusion? What services /should/ be running on the box (I don't think this was ever actually listed -- it would be useful to know)? Do you have dumps of the traffic leaving or entering the box? Again, this is a tough and very unfortunate position to be in -- I sympathize. It may very well not be worth the time it takes to fully investigate the source of the compromise. Real forensic analysis is outside most of our job descriptions; I know that my skillset doesn't cover it well enough. An inept investigation can be much worse than no investigation at all: consider (if you can afford it) bringing in someone who can do a quick, good job of it. > Any suggestions other than format/reinstall/tripwire? I can't think of any better ideas. Certainly, I'd add updating the system to your list. Even if the Security Alerts don't seem to effect your set up, I find it's good practice to apply them in a reasonable amount of time. At the very least, it keeps me in touch with my boxes and lets me develop a routine in case an alert does effect me. Good luck! -- o--------------------------{ Will Maier }--------------------------o | jabber:[EMAIL PROTECTED] | email:[EMAIL PROTECTED] | | [EMAIL PROTECTED] | [EMAIL PROTECTED] | *------------------[ BSD Unix: Live Free or Die ]------------------* _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"