Date: Wed, 16 Nov 2005 22:06:39 -0500 From: "Steve Bertrand" <iaccounts@ibctech.ca> To: "'Mark Kane'" <mark@mkproductions.org>, "'Mark Jayson Alvarez'" <jay2xra@yahoo.com> Cc: iaccounts@ibctech.ca, freebsd-questions@freebsd.org Subject: RE: Need urgent help regarding security Message-ID: <20051117030642.75DB643D45@mx1.FreeBSD.org> In-Reply-To: <437BED9F.6010703@mkproductions.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> - "top" lists nothing significant. 97% idle CPU Irrelavent, the process is probably idle right now. > - "w" only shows myself and one other legit user logged in > who is editing config files with vi Perhaps they aren't currently logged in. > - "last" shows nothing but myself and that one other user What is the last entry that last shows (no pun intended)...ie: what is the date? > - "ps -aux" doesn't say anything about psyBNC or bnc. > everything looks normal as of now Ok, here's what to do: # pkg_add -r nmap # rehash # nmap -sS -P0 my.ip.server.com ...then (probably futile): # nmap -sU -P0 my.ip.server.com which will tell you if you are listening on ports you *shouldn't* have open. > - It's a FreeBSD 5.4-RELEASE machine with a generic kernel > except with quota support You still didn't answer the FTP question. What services should be running on it? You can easily rebuild a new kernel with: options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT_1000 Then create a script blocking ALL ports exept those what you need. Especially only allowing SSH access to the box from limited IP's. If you need help, just ask. This sounds like a brute-forced password hack via remote access, or overflow via a vulnerable software that should not be Internet facing. Don't give me your IP if you don't want, just tell us (or me personally) what should be Internet facing (as far as services), and get you fixed up. Have you checked your daily cron outputs lately? What do they say? nmap is your friend, and so is IPFW. Figure out exactly what you need to face the Internet, and staple the rest closed. Steve > > -Mark > > -- > GnuPG Public Key: > http://www.mkproductions.org/mk_pubkey.asc > > Internet Radio: > Party107 (Trance/Electronic) - http://www.party107.com Rock > 101.9 The Edge (Rock) - http://www.rock1019.net > > IRC: > MIXXnet IRC Network - irc.mixxnet.net (Nick: MIXX941) >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051117030642.75DB643D45>