Need urgent help regarding security
Mark Kane
mark at mkproductions.org
Thu Nov 17 02:40:37 GMT 2005
Mark Jayson Alvarez wrote:
> Good Day!
>
> I think we have a serious problem. One of our old
> server running FreeBSD 4.9 have been compromised and
> is now connected to an ircd server..
> 195.204.1.132.6667 ESTABLISHED
I believe I'm having the same issue as you, except on FreeBSD
5.4-RELEASE. I notice a connection to the same IP and port as you posted
(which by the way is an Undernet IRC server).
I also see a psyBNC server listening on port 7978:
server# sockstat -l4 | grep psybnc
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
wicked6 psybnc 15819 3 tcp4 *:7978 *:*
Funny thing is there is no process by wicked6 (or by anyone currently)
called "psybnc". I can connect to an IP on that server on port 7978 and
get a psyBNC though. I've checked for other processes by wicked6, nothing.
It's trying to make a connection on 6667 to that IP as I said:
server1# netstat -n | grep 6667
tcp4 0 0 xx.xx.xx.xx.64243 195.197.175.21.6667 SYN_SENT
top lists nothing using up much CPU. /tmp doesn't show much except many
session files. I found a psybnc.tar.gz file in a user's home directory
but cannot find any directories with psybnc config files or binaries.
Port 6667 is blocked by my datacenter so this is not actually doing any
damage against the target, but I wanted to post here and let you know
I'm having the same problem on a different version of FBSD with
everything up to date.
To Steve:
I don't want to post the full outputs of those since this is a client
server, but I will say the following points:
- "top" lists nothing significant. 97% idle CPU
- "w" only shows myself and one other legit user logged in who is
editing config files with vi
- "last" shows nothing but myself and that one other user
- "ps -aux" doesn't say anything about psyBNC or bnc. everything looks
normal as of now
- It's a FreeBSD 5.4-RELEASE machine with a generic kernel except with
quota support
-Mark
--
GnuPG Public Key:
http://www.mkproductions.org/mk_pubkey.asc
Internet Radio:
Party107 (Trance/Electronic) - http://www.party107.com
Rock 101.9 The Edge (Rock) - http://www.rock1019.net
IRC:
MIXXnet IRC Network - irc.mixxnet.net (Nick: MIXX941)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20051116/b407db5f/signature.bin
More information about the freebsd-questions
mailing list