From owner-freebsd-questions@FreeBSD.ORG  Sat Aug 11 11:31:50 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 687F316A421
	for <questions@freebsd.org>; Sat, 11 Aug 2007 11:31:50 +0000 (UTC)
	(envelope-from mrb@bmyster.com)
Received: from loqtis.bmyster.com (ns1.bmyster.com [65.175.135.37])
	by mx1.freebsd.org (Postfix) with ESMTP id 2724F13C46C
	for <questions@freebsd.org>; Sat, 11 Aug 2007 11:31:49 +0000 (UTC)
	(envelope-from mrb@bmyster.com)
Received: from www.bmyster.com (localhost.bmyster.com [127.0.0.1])
	by loqtis.bmyster.com (8.13.3/8.13.3) with ESMTP id l7BBKaCb051087
	for <questions@freebsd.org>; Sat, 11 Aug 2007 07:20:36 -0400 (EDT)
From: "Brent" <mrb@bmyster.com>
To: questions@freebsd.org
Date: Sat, 11 Aug 2007 07:20:31 -0400
Message-Id: <20070811110231.M84490@bmyster.com>
X-Mailer: Open WebMail 2.51 20050228
X-OriginatingIP: 76.179.113.78 (mrb)
MIME-Version: 1.0
Content-Type: text/plain;
	charset=iso-8859-1
Cc: 
Subject: server was hacked
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Aug 2007 11:31:50 -0000

Im running FBSD 5.4 as a web server the server is behind a cisco firewall
/router and the server has alot of CMS jumila / mambo sites on it. I noticed
that when i ran sockstat i was seeing multiple IPs connected to high ports on
the server with a process id of "psybnc" . Did some looking around & found
that this is a IRC relay program that was installed through a compromised
mambo site. after getting rid of the program I changed our router to disallow
this type of traffic..& started trying to fix the box. Im pretty sure that
root wasnt compromised but im going to re-install anyway. my question has
anyone run into this problem with CMS sites, HOw excatly are they getting in ?
what are the things I can do to prevent this. On FBSD how do you checksum
binaries on the system to ensure someone hasnt replaced one with there own binary.

thank you...and & all help is greatly appreciated


--
Brent