From owner-freebsd-questions@FreeBSD.ORG Thu Nov 17 03:11:21 2005 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0AB6516A41F for ; Thu, 17 Nov 2005 03:11:21 +0000 (GMT) (envelope-from jay2xra@yahoo.com) Received: from web51614.mail.yahoo.com (web51614.mail.yahoo.com [206.190.39.126]) by mx1.FreeBSD.org (Postfix) with SMTP id 8943B43D46 for ; Thu, 17 Nov 2005 03:11:20 +0000 (GMT) (envelope-from jay2xra@yahoo.com) Received: (qmail 34478 invoked by uid 60001); 17 Nov 2005 03:11:19 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=yKalnLASi0bNV4ny8vyNE043wpPCYKKwv1ETSK6FS8xxbdGyws96eTvDunTVQA/fO73aBOd+WAswc/MMAWg5/PPqe/xiVPwhYCDXmf5hXgMJbLiU0Ifn+NXUESX6Fk1psCguvj0MQqFuJueyKRWzc/M67Rdjh+7lQknsrpkTma8= ; Message-ID: <20051117031119.34476.qmail@web51614.mail.yahoo.com> Received: from [202.90.128.28] by web51614.mail.yahoo.com via HTTP; Wed, 16 Nov 2005 19:11:19 PST Date: Wed, 16 Nov 2005 19:11:19 -0800 (PST) From: Mark Jayson Alvarez To: kalin mintchev , Steve Bertrand In-Reply-To: <51190.68.165.89.71.1132194943.squirrel@mail.el.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: 'FreeBSD Questions' , 'Mark Jayson Alvarez' Subject: RE: Need urgent help regarding security X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2005 03:11:21 -0000 First, I want to thank you all for replying. For now what I just did is to just pulled the utp cable from its ethernet port. Now, no one can access it. However I tried once to put it back and then the ircd connection went up silently. It is confirmed that we are running "psybnc" like what someone who replied has experienced too, installed in a folder(" pnybnc") inside etc that is named with a special character... hard to get inside, but we've managed to read some files using find and grep... The chat logs are still there.. seems like it has been turned into a sex chatroom.. also the config of psybnc which contains the username/password the intruder used in connecting... Now what I want to do is to just reinstall the whole operating system and secure it as possible as I can. Like someone told, its just a waste to try to track it down because the intruder might be located somewhere on the other side of the world. To others who replied... I will just answer you all one by one... Thanks again. --------------------------------- Yahoo! FareChase - Search multiple travel sites in one click.