Need urgent help regarding security

[Steve Bertrand]

> I think we have a serious problem. One of our old server 
> running FreeBSD 4.9 have been compromised and is now 
> connected to an ircd server..
> 195.204.1.132.6667     ESTABLISHED

Ran into this recently. Please post the entire output from:

# top
# w
# last
# ps -aux
# uname -a

...after that, depending on the intruders knowledge and depending on
what/if they are covering up, we can probably tell what is going on via
further troubleshooting. The output from:

# ls -la /tmp

would probably help too.

> However, we still haven't brought the server down in an 
> attempt to track the intruder down. Right now we are clueless 
> as to what we need to do..
> Most of our servers are running legacy operating systems(old 
> versions mostly freebsd) Also, that particular server is 
> running - ProFTPD Version 1.2.4 which someone have suggested 
> to have a known vulnerability..
> 
> I really need all the help I can get as the administration of 
> those servers where just transferred to us by former admins. 
> The server is used for ftp.
> 

First...just relax. Do not panic. Just let them do what they are going
to do (with hopes you have backups), and the problem can be found and
eradicated.

Now, answer these:

- do you have an external firewall in front of this box
- do you have a firewall running on this box
- is this box Internet facing
- is this machines ONLY purpose FTP

Another thing...what is the IP of the box. I can quickly nmap it, give
you instructions on how to config IPFW firewall into the mix, tell you
what ports are listening/responding and send you a ruleset to block all
ports in/out to/from that IP.

Don't be concerned about finding out who did what at this point...again,
relax. Running IRC usually doesn't appear they are malicious. THey are
likely just trying to use your bandwidth/resources.

Provide the above, and something can be done.

Steve