what www perl script is running?
Bill Moran
wmoran at potentialtech.com
Tue Aug 25 12:26:06 UTC 2009
In response to Colin Brace <cb at lim.nl>:
>
> Olivier Nicole wrote:
> >
> >> Am I correct in assuming that my system has been hacked and I am running
> >> an
> >> IRC server or something?
> >
> > IRC client at least. And yes, I would think that your system has been
> > compromised.
> >
>
> Thanks Olivier.
>
> I am currently killing the process with the following bash command while I
> decide what to do next:
>
> $ while x=1 ; do sudo killall -9 perl5.8.9 && echo "killed..." ; sleep 15;
> done
You can add an ipfw rule to prevent the script from calling home, which
will effectively render it neutered until you can track down and actually
_fix_ the problem.
In reality, good security practice says that you should have IPFW (or some
other firewall) running and only allowing known good traffic right from
the start, which might have protected you from this in the first place.
> Is it worth first trying to determine how my system was broken into?
Yes. Otherwise you'll probably just get a repeat once you've reinstalled.
--
Bill Moran
http://www.potentialtech.com
http://people.collaborativefusion.com/~wmoran/
More information about the freebsd-questions
mailing list