From owner-freebsd-questions@FreeBSD.ORG Sat Aug 11 12:10:24 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F3E7316A417 for ; Sat, 11 Aug 2007 12:10:23 +0000 (UTC) (envelope-from md_ghalib@yahoo.com) Received: from web43134.mail.sp1.yahoo.com (web43134.mail.sp1.yahoo.com [216.252.121.64]) by mx1.freebsd.org (Postfix) with SMTP id D18F313C461 for ; Sat, 11 Aug 2007 12:10:23 +0000 (UTC) (envelope-from md_ghalib@yahoo.com) Received: (qmail 42479 invoked by uid 60001); 11 Aug 2007 12:10:23 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type:Message-ID; b=ARNA1hBDDa21melanO9xCL3wcB7YyoKh0g1hqCx4g49iosekWGYkXu2OMkWVV0lRHVIgAmkEC3Ith0NbIkvmk1I2jiS4oJjE+xu9erOX7NOLmmclB4wCC7R+sEfo1yavhW/9LiXJOD8lsNdbQHchnaXVqCNTFW/5Id67kcr/i/Y=; X-YMail-OSG: XncdvdYVM1lPM8kt9hipV6EIiFjrN9UFWPRdjFK0kRHxgXKhGjeYbKSbsuZM.5V59A-- Received: from [69.147.84.254] by web43134.mail.sp1.yahoo.com via HTTP; Sat, 11 Aug 2007 05:10:23 PDT X-Mailer: YahooMailRC/651.48 YahooMailWebService/0.7.119 Date: Sat, 11 Aug 2007 05:10:23 -0700 (PDT) From: Mohd Ghalib Akhtar To: "Heiko Wundram \(Beenic\)" , freebsd-questions@freebsd.org MIME-Version: 1.0 Message-ID: <362502.40629.qm@web43134.mail.sp1.yahoo.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: server was hacked X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Aug 2007 12:10:24 -0000 hi,=0Ahow to restore delated file or folder in linux=0A =0ATake care=0AMohd= .Ghalib Akhtar=0A(India.M)9899868681=0A(Africa.M) +255787896861 =0A=0A=0A= =0A=0A=0A=0A=0A=0A=0A=0A----- Original Message ----=0AFrom: Heiko Wundram (= Beenic) =0ATo: freebsd-questions@freebsd.org=0ASent: Sa= turday, August 11, 2007 2:54:29 PM=0ASubject: Re: server was hacked=0A=0A= =0AAm Samstag 11 August 2007 13:20:31 schrieb Brent:=0A> Im running FBSD 5.= 4 as a web server the server is behind a cisco firewall=0A> /router and the= server has alot of CMS jumila / mambo sites on it. I=0A> noticed that when= i ran sockstat i was seeing multiple IPs connected to=0A> high ports on th= e server with a process id of "psybnc" . Did some looking=0A> around & foun= d that this is a IRC relay program that was installed through=0A> a comprom= ised mambo site.=0A=0AThat was a know Mambo vulnerability which also hit a = client of ours. It's not =0Aa root compromise, though, AFAIR.=0A=0A> On FBS= D how do you checksum binaries on the system to ensure someone hasnt=0A> re= placed one with there own binary.=0A=0AInstall security/tripwire and config= ure properly.=0A=0A-- =0AHeiko Wundram=0AProduct & Application Development= =0A_______________________________________________=0Afreebsd-questions@free= bsd.org mailing list=0Ahttp://lists.freebsd.org/mailman/listinfo/freebsd-qu= estions=0ATo unsubscribe, send any mail to "freebsd-questions-unsubscribe@f= reebsd.org"=0A=0A=0A _________________________________________________= ___________________________________=0ALuggage? GPS? Comic books? =0ACheck o= ut fitting gifts for grads at Yahoo! Search=0Ahttp://search.yahoo.com/searc= h?fr=3Doni_on_mail&p=3Dgraduation+gifts&cs=3Dbz