Need urgent help regarding security

Mark Kane mark at mkproductions.org
Thu Nov 17 02:40:37 GMT 2005


Mark Jayson Alvarez wrote:
> Good Day!
> 
> I think we have a serious problem. One of our old
> server running FreeBSD 4.9 have been compromised and
> is now connected to an ircd server..
> 195.204.1.132.6667     ESTABLISHED

I believe I'm having the same issue as you, except on FreeBSD
5.4-RELEASE. I notice a connection to the same IP and port as you posted
(which by the way is an Undernet IRC server).

I also see a psyBNC server listening on port 7978:

server# sockstat -l4 | grep psybnc
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
wicked6  psybnc     15819 3  tcp4   *:7978                *:*

Funny thing is there is no process by wicked6 (or by anyone currently)
called "psybnc". I can connect to an IP on that server on port 7978 and
get a psyBNC though. I've checked for other processes by wicked6, nothing.

It's trying to make a connection on 6667 to that IP as I said:

server1# netstat -n | grep 6667
tcp4       0      0  xx.xx.xx.xx.64243    195.197.175.21.6667    SYN_SENT

top lists nothing using up much CPU. /tmp doesn't show much except many
session files. I found a psybnc.tar.gz file in a user's home directory
but cannot find any directories with psybnc config files or binaries.

Port 6667 is blocked by my datacenter so this is not actually doing any
damage against the target, but I wanted to post here and let you know
I'm having the same problem on a different version of FBSD with
everything up to date.

To Steve:

I don't want to post the full outputs of those since this is a client
server, but I will say the following points:

- "top" lists nothing significant. 97% idle CPU
- "w" only shows myself and one other legit user logged in who is
editing config files with vi
- "last" shows nothing but myself and that one other user
- "ps -aux" doesn't say anything about psyBNC or bnc. everything looks
normal as of now
- It's a FreeBSD 5.4-RELEASE machine with a generic kernel except with
quota support

-Mark

-- 
GnuPG Public Key:
http://www.mkproductions.org/mk_pubkey.asc

Internet Radio:
Party107 (Trance/Electronic) - http://www.party107.com
Rock 101.9 The Edge (Rock) - http://www.rock1019.net

IRC:
MIXXnet IRC Network - irc.mixxnet.net (Nick: MIXX941)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20051116/b407db5f/signature.bin


More information about the freebsd-questions mailing list