From owner-freebsd-security@FreeBSD.ORG Thu Nov 17 02:04:42 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C90AC16A41F for ; Thu, 17 Nov 2005 02:04:42 +0000 (GMT) (envelope-from saurabh@bhasin.in) Received: from bhasin.in (mail.bhasin.in [66.111.52.110]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4698F43D46 for ; Thu, 17 Nov 2005 02:04:42 +0000 (GMT) (envelope-from saurabh@bhasin.in) Received: (qmail 78483 invoked by uid 89); 17 Nov 2005 02:04:45 -0000 Received: by simscan 1.1.0 ppid: 78477, pid: 78479, t: 6.7548s scanners: attach: 1.1.0 clamav: 0.87/m:34/d:1146 spam: 3.1.0 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on mail.bhasin.in X-Spam-Bhasin-Summary: Tokens: new, 48; hammy, 78; neutral, 226; spammy, 5. X-Spam-Level: X-Spam-Bhasin-Score: 0.0000 X-Spam-Status: No, score=-4.4 required=1.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.1.0 Received: from unknown (HELO ?192.168.168.128?) (saurabh@bhasin.in@67.174.246.11) by mail.bhasin.in with (DHE-RSA-AES256-SHA encrypted) SMTP; 17 Nov 2005 02:04:38 -0000 Message-ID: <437BE530.8010404@bhasin.in> Date: Wed, 16 Nov 2005 18:04:32 -0800 From: "saurabh.bhasin" User-Agent: Mozilla Thunderbird 1.0.6 (Macintosh/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: ray@redshift.com References: <3.0.1.32.20051116174838.00a75e70@pop.redshift.com> In-Reply-To: <3.0.1.32.20051116174838.00a75e70@pop.redshift.com> X-Enigmail-Version: 0.92.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Mark Jayson Alvarez Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2005 02:04:43 -0000 Mark, In addition to Ray's suggestions, you might also want to capture some packets (tcpdump and the likes) to see more specific details of the the outbound irc traffic. Unless the traffic is encrypted, you'll be able to see which channel you're being forced to join (watch for /join #channelname). It's very likely that your server is part of a bigger botnet, serving up movies/mp3 etc. You might also want to see if your available diskspace has drastically changed since before this incident. Along the same lines, also watch out for higher utilization counts on your interface. As always, it's a good idea to firewall your traffic. Good luck. -Saurabh ray@redshift.com wrote: > At 05:25 PM 11/16/2005 -0800, Mark Jayson Alvarez wrote: > | Good Day! > | > | I think we have a serious problem. One of our old > | server running FreeBSD 4.9 have been compromised and > | is now connected to an ircd server.. > | 195.204.1.132.6667 ESTABLISHED > | > | However, we still haven't brought the server down in > | an attempt to track the intruder down. Right now we > | are clueless as to what we need to do.. > | Most of our servers are running legacy operating > | systems(old versions mostly freebsd) Also, that > | particular server is running - ProFTPD Version 1.2.4 > | which someone have suggested to have a known > | vulnerability.. > | > | I really need all the help I can get as the > | administration of those servers where just transferred > | to us by former admins. The server is used for ftp. > | > | Thanks.. > > Hi Mark, > > Good luck tracking them. The IP# is out of Canada if that helps any. > > 195.204.1.132 CA CANADA ONTARIO WAWA UNDERNET-IRC > > Looks like it is coming from another IRC network - although I am no IRC > expert. Someone is probably using your machine to exchange software or run a > bot network or something along those lines. Who knows. > > Try doing a ps -aux and see if something like eggdrop or some IRC bot is > running on there (assuming you still have the root password). You might even be > able to figure out if you are hosting an IRC room :-) Maybe everyone from the > FreeBSD hacker list can meet there and party :-) Just kidding. > > Anyway, tracking them is probably a waste of time, unless some valuable > corporate information has been stolen. The best bet is to just wipe the machine > and start over, unless you need something on there that you can't backup, etc. > In cases like these, unless you are running something that has built check sums > of all your system files, it's difficult to work back wards and know for sure > you have returned everything back to a secure status. Best just to start at > square 1 and work forward. > > In the future, you might consider running a fire wall, such as ipf - or putting > the server on a non-public IP# behind a router that acts as a fire wall - then > only allow traffic in (and out) on ports you really need. If you run ipf, you > might also block out going traffic on ports such as 21, 6666-6669, etc. so that > anything that does get into the machine can't "phone home". > > If your root password has been changed on you, you'll need to boot into single > user mode and change the password back. You might also check files like > /etc/rc.local or the like to see if something is setup to auto load at boot, > such as an IRC server, or IRC bot, etc. > > Anyway, just some ideas off hand. > > good luck! > > Ray > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"