Need urgent help regarding security

[Steve Bertrand]

> - "top" lists nothing significant. 97% idle CPU

Irrelavent, the process is probably idle right now.

> - "w" only shows myself and one other legit user logged in 
> who is editing config files with vi

Perhaps they aren't currently logged in.

> - "last" shows nothing but myself and that one other user

What is the last entry that last shows (no pun intended)...ie: what is
the date?

> - "ps -aux" doesn't say anything about psyBNC or bnc. 
> everything looks normal as of now

Ok, here's what to do:

# pkg_add -r nmap
# rehash
# nmap -sS -P0 my.ip.server.com

...then (probably futile):

# nmap -sU -P0 my.ip.server.com

which will tell you if you are listening on ports you *shouldn't* have
open.

> - It's a FreeBSD 5.4-RELEASE machine with a generic kernel 
> except with quota support

You still didn't answer the FTP question. What services should be
running on it?

You can easily rebuild a new kernel with:

options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT_1000

Then create a script blocking ALL ports exept those what you need.
Especially only allowing SSH access to the box from limited IP's. If you
need help, just ask.

This sounds like a brute-forced password hack via remote access, or
overflow via a vulnerable software that should not be Internet facing.

Don't give me your IP if you don't want, just tell us (or me personally)
what should be Internet facing (as far as services), and get you fixed
up.

Have you checked your daily cron outputs lately? What do they say?

nmap is your friend, and so is IPFW. Figure out exactly what you need to
face the Internet, and staple the rest closed.

Steve

> 
> -Mark
> 
> --
> GnuPG Public Key:
> http://www.mkproductions.org/mk_pubkey.asc
> 
> Internet Radio:
> Party107 (Trance/Electronic) - http://www.party107.com Rock 
> 101.9 The Edge (Rock) - http://www.rock1019.net
> 
> IRC:
> MIXXnet IRC Network - irc.mixxnet.net (Nick: MIXX941)
>