you should make a copy of your current harddrive, and lock the otherone in a
safe or something , so that you can always make additional copy's.
This requires a same sized harddisk in a other working system..

But that is propably not what you have,

You should check your webserver logs/ftp logs, for bogus entries
Note that firewalling does not prevent webdefacements, why? Well port
80/20/21
is allowed traffic, so people can get in.

IT might be possible that your ftp server got breached, what version did you
run?
What webserver did you run? with php? Is there even the slightest
possibility that
you had rwx settings on the tree where your webfiles are in, so that one
could have written code to it, or even worse, changing your index file.

I had it myself with a bogus Slashdot topic script, that allowed remote
users
to write into my files, one of my includes was overwritten and i got a
website
your.com, instead of my three tabled layout ... oops, was the script and rwx
permissions in the tree..

Goodluck !!


--

Kind regards,

Remko Lodder
Elvandar.org/DSINet.org
www.mostly-harmless.nl Dutch community for helping newcomers on the
hackerscene

-----Oorspronkelijk bericht-----
Van: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] re re
Verzonden: maandag 8 maart 2004 19:56
Aan: [EMAIL PROTECTED]
Onderwerp: hacked


hello
despite having ipfilter blocking all ports except 80 21 and 22, tripwire,
and scoring 999999 in nmap, my website got defaced.
the box is currently unplugged.  i wanted to know what is the best way to
find out who did it and how they got in, and what to do from here.  tripwire
shows a lot of files changed, most of which could be attributed to cvsup'ing
recently.  any other security precautions to take disaster recovery guides?
i've already changed p/w's on my other boxes.
thanks
--
______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.


Powered by Outblaze
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to