From owner-freebsd-questions@FreeBSD.ORG Thu Nov 17 01:30:05 2005 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 84B4716A41F for ; Thu, 17 Nov 2005 01:30:05 +0000 (GMT) (envelope-from iaccounts@ibctech.ca) Received: from pearl.ibctech.ca (pearl.ibctech.ca [209.167.58.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id CBEA243D45 for ; Thu, 17 Nov 2005 01:30:04 +0000 (GMT) (envelope-from iaccounts@ibctech.ca) Received: (qmail 5832 invoked by uid 1002); 17 Nov 2005 01:30:41 -0000 Received: from iaccounts@ibctech.ca by pearl.ibctech.ca by uid 89 with qmail-scanner-1.22 (spamassassin: 2.64. Clear:RC:1(209.167.16.15):. Processed in 4.561198 secs); 17 Nov 2005 01:30:41 -0000 Received: from unknown (HELO fuze) (209.167.16.15) by pearl.ibctech.ca with SMTP; 17 Nov 2005 01:30:36 -0000 From: "Steve Bertrand" To: "'Mark Jayson Alvarez'" Date: Wed, 16 Nov 2005 20:29:55 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 Thread-Index: AcXrFMBq79v/XcKlSBebh7/KqSLMJgAACEAg In-Reply-To: <20051117011637.17190.qmail@web51601.mail.yahoo.com> X-Qmail-Scanner-Message-ID: <11321910376755817@pearl.ibctech.ca> Message-Id: <20051117013004.CBEA243D45@mx1.FreeBSD.org> Cc: 'FreeBSD Questions' Subject: RE: Need urgent help regarding security X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2005 01:30:05 -0000 > I think we have a serious problem. One of our old server > running FreeBSD 4.9 have been compromised and is now > connected to an ircd server.. > 195.204.1.132.6667 ESTABLISHED Ran into this recently. Please post the entire output from: # top # w # last # ps -aux # uname -a ...after that, depending on the intruders knowledge and depending on what/if they are covering up, we can probably tell what is going on via further troubleshooting. The output from: # ls -la /tmp would probably help too. > However, we still haven't brought the server down in an > attempt to track the intruder down. Right now we are clueless > as to what we need to do.. > Most of our servers are running legacy operating systems(old > versions mostly freebsd) Also, that particular server is > running - ProFTPD Version 1.2.4 which someone have suggested > to have a known vulnerability.. > > I really need all the help I can get as the administration of > those servers where just transferred to us by former admins. > The server is used for ftp. > First...just relax. Do not panic. Just let them do what they are going to do (with hopes you have backups), and the problem can be found and eradicated. Now, answer these: - do you have an external firewall in front of this box - do you have a firewall running on this box - is this box Internet facing - is this machines ONLY purpose FTP Another thing...what is the IP of the box. I can quickly nmap it, give you instructions on how to config IPFW firewall into the mix, tell you what ports are listening/responding and send you a ruleset to block all ports in/out to/from that IP. Don't be concerned about finding out who did what at this point...again, relax. Running IRC usually doesn't appear they are malicious. THey are likely just trying to use your bandwidth/resources. Provide the above, and something can be done. Steve