server was hacked
Tamouh H.
hakmi at rogers.com
Sat Aug 11 17:21:04 PDT 2007
> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org] On Behalf Of Brent
> Sent: August 11, 2007 7:21 AM
> To: questions at freebsd.org
> Subject: server was hacked
>
> Im running FBSD 5.4 as a web server the server is behind a
> cisco firewall /router and the server has alot of CMS jumila
> / mambo sites on it. I noticed that when i ran sockstat i was
> seeing multiple IPs connected to high ports on the server
> with a process id of "psybnc" . Did some looking around &
> found that this is a IRC relay program that was installed
> through a compromised mambo site. after getting rid of the
> program I changed our router to disallow this type of
> traffic..& started trying to fix the box. Im pretty sure that
> root wasnt compromised but im going to re-install anyway. my
> question has anyone run into this problem with CMS sites, HOw
> excatly are they getting in ?
> what are the things I can do to prevent this. On FBSD how do
> you checksum binaries on the system to ensure someone hasnt
> replaced one with there own binary.
>
> thank you...and & all help is greatly appreciated
>
>
> --
> Brent
>
Just an advise in the future if you're running Apache, use mod_security to protect you from similar hackings (need to update the rules every now and then to stay on top of things):
http://www.modsecurity.org/ you'll also find sample rules at: www.gotroot.com
Tamouh
More information about the freebsd-questions
mailing list