From owner-freebsd-security Mon Dec 2 10:53:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 15C4D37B401; Mon, 2 Dec 2002 10:53:33 -0800 (PST) Received: from mtiwmhc11.worldnet.att.net (mtiwmhc11.worldnet.att.net [204.127.131.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6067143E88; Mon, 2 Dec 2002 10:53:32 -0800 (PST) (envelope-from cswiger@mac.com) Received: from prime ([12.88.90.90]) by mtiwmhc11.worldnet.att.net (InterMail vM.5.01.05.12 201-253-122-126-112-20020820) with SMTP id <20021202185330.RJMP20682.mtiwmhc11.worldnet.att.net@prime>; Mon, 2 Dec 2002 18:53:30 +0000 Message-ID: <009101c29a34$1b96f4d0$0301a8c0@prime> From: "Charles Swiger" To: , References: <20021202123616.A33705@klentaq.com> Subject: Re: psybnc and IRC hack Date: Mon, 2 Dec 2002 13:53:23 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org [ This probably belongs on freebsd-security, instead... ] Wayne M Barnes wrote: > How can I best recover from, and defend myself from, a hacker > who breaks into my system and runs a program called psybnc > without my permission? I think he is using my system as a > front/slave. Yes. Unless you installed an IRC bouncer-- or whatever it was being used for-- yourself, it's a safe bet that your machine was hacked. You haven't identified much about the system-- OS version, what service was compromised (if you know, and you should investigate that), as well as form an incident timeline. The best way to recover is to backup the compromised system, for recovery of your data and later forensics if you (or your ISP) chooses to investigate further. Reinstall the latest version of FreeBSD from a known-good image, possibly using CVSUP to upgrade to -STABLE or the security branch for your version (RELENG_4_7?). Then restore your data (after making sure nothing was compromised...that means do not copy date, especially executables without checking them against prior backups). > For now, I have killed psybnc, deleted the directory of stuff > that he put in, and changed my password. Is that any good? It's a good starting point, yes, but it certainly isn't sufficient. > Can there be a real vaccination built in to FreeBSD? Yes. It's easy to compare your system against the software from the OS install disk; where many people encounter problems is with the changes they've made afterwards themselves. How complete are your backups? -Chuck To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 2 20:52:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F24F37B401 for ; Mon, 2 Dec 2002 20:52:09 -0800 (PST) Received: from wispair.net (jumbo.wispair.net [63.170.238.6]) by mx1.FreeBSD.org (Postfix) with SMTP id 4D7A743EA9 for ; Mon, 2 Dec 2002 20:52:05 -0800 (PST) (envelope-from neallist@wispair.net) Received: (qmail 27445 invoked from network); 3 Dec 2002 04:52:12 -0000 Received: from ip68-99-27-55.om.om.cox.net (HELO wispair.net) (68.99.27.55) by ns1.wispair.net with SMTP; 3 Dec 2002 04:52:12 -0000 Message-ID: <3DEC45ED.CFA0FF57@wispair.net> Date: Mon, 02 Dec 2002 23:49:33 -0600 From: neal r Reply-To: neallist@wispair.net X-Mailer: Mozilla 4.8 [en] (X11; U; Linux 2.4.2 i386) X-Accept-Language: en MIME-Version: 1.0 To: stabilizer@klentaq.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: psybnc and IRC hack References: <20021202123616.A33705@klentaq.com> <009101c29a34$1b96f4d0$0301a8c0@prime> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This doesn't belong on freebsd-security. Read this first: http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/security.html If you're still confused get on an Undernet IRC server, go to #freebsdhelp, and ask for assistance. Its best to show between 18:00 and 24:00 EST from my experience. There are probably other places you could check, this one I frequent and I know they'll help new people. Charles Swiger wrote: > [ This probably belongs on freebsd-security, instead... ] > > Wayne M Barnes wrote: > > How can I best recover from, and defend myself from, a hacker > > who breaks into my system and runs a program called psybnc > > without my permission? I think he is using my system as a > > front/slave. > > Yes. Unless you installed an IRC bouncer-- or whatever it was being used for-- > yourself, it's a safe bet that your machine was hacked. You haven't identified > much about the system-- OS version, what service was compromised (if you know, > and you should investigate that), as well as form an incident timeline. > > The best way to recover is to backup the compromised system, for recovery of > your data and later forensics if you (or your ISP) chooses to investigate > further. > > Reinstall the latest version of FreeBSD from a known-good image, possibly using > CVSUP to upgrade to -STABLE or the security branch for your version > (RELENG_4_7?). > > Then restore your data (after making sure nothing was compromised...that means > do not copy date, especially executables without checking them against prior > backups). > > > For now, I have killed psybnc, deleted the directory of stuff > > that he put in, and changed my password. Is that any good? > > It's a good starting point, yes, but it certainly isn't sufficient. > > > Can there be a real vaccination built in to FreeBSD? > > Yes. It's easy to compare your system against the software from the OS install > disk; where many people encounter problems is with the changes they've made > afterwards themselves. How complete are your backups? > > -Chuck > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 2 20:59:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F52A37B401 for ; Mon, 2 Dec 2002 20:59:43 -0800 (PST) Received: from mta6.snfc21.pbi.net (mta6.snfc21.pbi.net [206.13.28.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id AC90743EBE for ; Mon, 2 Dec 2002 20:59:42 -0800 (PST) (envelope-from patrick@pwhsnet.com) Received: from patrick ([67.116.87.169]) by mta6.snfc21.pbi.net (iPlanet Messaging Server 5.1 (built May 7 2001)) with SMTP id <0H6J00HFL1VGD1@mta6.snfc21.pbi.net> for freebsd-security@FreeBSD.ORG; Mon, 02 Dec 2002 20:59:42 -0800 (PST) Date: Mon, 02 Dec 2002 20:59:41 -0800 From: Patrick Fish Subject: Re: psybnc and IRC hack To: neallist@wispair.net, stabilizer@klentaq.com Cc: freebsd-security@FreeBSD.ORG Message-id: <039801c29a88$cab8e5a0$1401a8c0@patrick> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Mailer: Microsoft Outlook Express 6.00.2800.1106 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7BIT X-Priority: 3 X-MSMail-priority: Normal References: <20021202123616.A33705@klentaq.com> <009101c29a34$1b96f4d0$0301a8c0@prime> <3DEC45ED.CFA0FF57@wispair.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > This doesn't belong on freebsd-security. > > Read this first: > > http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/security.html > > If you're still confused get on an Undernet IRC server, go to #freebsdhelp, and > ask for assistance. Its best to show between 18:00 and 24:00 EST from my > experience. There are probably other places you could check, this one I frequent > and I know they'll help new people. If you have no luck there, try EFnet (same channel). > > > > Charles Swiger wrote: > > > [ This probably belongs on freebsd-security, instead... ] > > > > Wayne M Barnes wrote: > > > How can I best recover from, and defend myself from, a hacker > > > who breaks into my system and runs a program called psybnc > > > without my permission? I think he is using my system as a > > > front/slave. > > > > Yes. Unless you installed an IRC bouncer-- or whatever it was being used for-- > > yourself, it's a safe bet that your machine was hacked. You haven't identified > > much about the system-- OS version, what service was compromised (if you know, > > and you should investigate that), as well as form an incident timeline. > > > > The best way to recover is to backup the compromised system, for recovery of > > your data and later forensics if you (or your ISP) chooses to investigate > > further. > > > > Reinstall the latest version of FreeBSD from a known-good image, possibly using > > CVSUP to upgrade to -STABLE or the security branch for your version > > (RELENG_4_7?). > > > > Then restore your data (after making sure nothing was compromised...that means > > do not copy date, especially executables without checking them against prior > > backups). > > > > > For now, I have killed psybnc, deleted the directory of stuff > > > that he put in, and changed my password. Is that any good? > > > > It's a good starting point, yes, but it certainly isn't sufficient. > > > > > Can there be a real vaccination built in to FreeBSD? > > > > Yes. It's easy to compare your system against the software from the OS install > > disk; where many people encounter problems is with the changes they've made > > afterwards themselves. How complete are your backups? > > > > -Chuck > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > pf To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message