From owner-freebsd-questions@FreeBSD.ORG Thu Nov 17 03:06:43 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 193D916A41F for ; Thu, 17 Nov 2005 03:06:43 +0000 (GMT) (envelope-from iaccounts@ibctech.ca) Received: from pearl.ibctech.ca (pearl.ibctech.ca [209.167.58.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 75DB643D45 for ; Thu, 17 Nov 2005 03:06:42 +0000 (GMT) (envelope-from iaccounts@ibctech.ca) Received: (qmail 10933 invoked by uid 1002); 17 Nov 2005 03:07:20 -0000 Received: from iaccounts@ibctech.ca by pearl.ibctech.ca by uid 89 with qmail-scanner-1.22 (spamassassin: 2.64. Clear:RC:1(209.167.16.15):. Processed in 1.790391 secs); 17 Nov 2005 03:07:20 -0000 Received: from unknown (HELO fuze) (209.167.16.15) by pearl.ibctech.ca with SMTP; 17 Nov 2005 03:07:17 -0000 From: "Steve Bertrand" To: "'Mark Kane'" , "'Mark Jayson Alvarez'" Date: Wed, 16 Nov 2005 22:06:39 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 Thread-Index: AcXrIGqb3cw5MVlATQuxd7UXwAhsJgAAdebQ In-Reply-To: <437BED9F.6010703@mkproductions.org> X-Qmail-Scanner-Message-ID: <113219683867510911@pearl.ibctech.ca> Message-Id: <20051117030642.75DB643D45@mx1.FreeBSD.org> Cc: iaccounts@ibctech.ca, freebsd-questions@freebsd.org Subject: RE: Need urgent help regarding security X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2005 03:06:43 -0000 > - "top" lists nothing significant. 97% idle CPU Irrelavent, the process is probably idle right now. > - "w" only shows myself and one other legit user logged in > who is editing config files with vi Perhaps they aren't currently logged in. > - "last" shows nothing but myself and that one other user What is the last entry that last shows (no pun intended)...ie: what is the date? > - "ps -aux" doesn't say anything about psyBNC or bnc. > everything looks normal as of now Ok, here's what to do: # pkg_add -r nmap # rehash # nmap -sS -P0 my.ip.server.com ...then (probably futile): # nmap -sU -P0 my.ip.server.com which will tell you if you are listening on ports you *shouldn't* have open. > - It's a FreeBSD 5.4-RELEASE machine with a generic kernel > except with quota support You still didn't answer the FTP question. What services should be running on it? You can easily rebuild a new kernel with: options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT_1000 Then create a script blocking ALL ports exept those what you need. Especially only allowing SSH access to the box from limited IP's. If you need help, just ask. This sounds like a brute-forced password hack via remote access, or overflow via a vulnerable software that should not be Internet facing. Don't give me your IP if you don't want, just tell us (or me personally) what should be Internet facing (as far as services), and get you fixed up. Have you checked your daily cron outputs lately? What do they say? nmap is your friend, and so is IPFW. Figure out exactly what you need to face the Internet, and staple the rest closed. Steve > > -Mark > > -- > GnuPG Public Key: > http://www.mkproductions.org/mk_pubkey.asc > > Internet Radio: > Party107 (Trance/Electronic) - http://www.party107.com Rock > 101.9 The Edge (Rock) - http://www.rock1019.net > > IRC: > MIXXnet IRC Network - irc.mixxnet.net (Nick: MIXX941) >