From owner-freebsd-questions@FreeBSD.ORG  Thu Oct 18 15:19:15 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 3D69F16A418
	for <freebsd-questions@freebsd.org>;
	Thu, 18 Oct 2007 15:19:15 +0000 (UTC)
	(envelope-from pauls@utdallas.edu)
Received: from smtp3.utdallas.edu (smtp3.utdallas.edu [129.110.10.49])
	by mx1.freebsd.org (Postfix) with ESMTP id 229C313C442
	for <freebsd-questions@freebsd.org>;
	Thu, 18 Oct 2007 15:19:14 +0000 (UTC)
	(envelope-from pauls@utdallas.edu)
Received: from utd59514.utdallas.edu (utd59514.utdallas.edu [129.110.3.28])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp3.utdallas.edu (Postfix) with ESMTP id 411B965503
	for <freebsd-questions@freebsd.org>;
	Thu, 18 Oct 2007 10:19:14 -0500 (CDT)
Date: Thu, 18 Oct 2007 10:19:13 -0500
From: Paul Schmehl <pauls@utdallas.edu>
To: freebsd-questions@freebsd.org
Message-ID: <75F91F912378E3D6CE5C9E9B@utd59514.utdallas.edu>
In-Reply-To: <009901c81182$6e060c90$6501a8c0@GRANT>
References: <008201c8117d$7ae74460$6501a8c0@GRANT>
	<009901c81182$6e060c90$6501a8c0@GRANT>
X-Mailer: Mulberry/4.0.8 (Linux/x86)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Subject: Re: gtn bot ?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Oct 2007 15:19:15 -0000

--On Thursday, October 18, 2007 08:28:46 -0400 Grant Peel 
<gpeel@thenetnow.com> wrote:

> Hi all,
>
> I missed one to. I have never seen this process befor, any ideas?
>
>  6313     1 Mon Oct 15 19:34:39 2007       0:02.71 [prox]

The problem with this approach is that the bad guys don't try to accomodate 
you by using common naming conventions.  Searching for gtn or prox or 
eggdrop will most likely be a fruitless exercise.

What you need to do is 1) identify what it is by locating it and all its 
associated files on the hard drive, 2) determing how to stop it so you can 
clean up and 3) figuring out how the box was broken into so you can prevent 
a reoccurrence.

If you need help with that, I would suggest taking it private.  It's best 
not to post these kinds of details in an open forum.  I'd be happy to help, 
and I'm sure there are others here, even more experienced than I am, who 
can help.

-- 
Paul Schmehl (pauls@utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/