Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 16 Nov 2005 19:31:33 -0800
From:      David Kirchner <dpk@dpk.net>
To:        Mark Kane <mark@mkproductions.org>
Cc:        iaccounts@ibctech.ca, Mark Jayson Alvarez <jay2xra@yahoo.com>, freebsd-questions@freebsd.org
Subject:   Re: Need urgent help regarding security
Message-ID:  <35c231bf0511161931i371ff97dj6da274892c84619e@mail.gmail.com>
In-Reply-To: <437BED9F.6010703@mkproductions.org>
References:  <20051117011640.27963.qmail@web51612.mail.yahoo.com> <437BED9F.6010703@mkproductions.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On 11/16/05, Mark Kane <mark@mkproductions.org> wrote:
> I also see a psyBNC server listening on port 7978:
>
> server# sockstat -l4 | grep psybnc
> USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
> wicked6  psybnc     15819 3  tcp4   *:7978                *:*
>
> Funny thing is there is no process by wicked6 (or by anyone currently)
> called "psybnc". I can connect to an IP on that server on port 7978 and
> get a psyBNC though. I've checked for other processes by wicked6, nothing=
.

It's very common for them to overwrite argv[0], or use setproctitle
stuff to hide the real name of the program. Some programs don't read
that -- sockstat and top are two that don't read the modified program
name.

> It's trying to make a connection on 6667 to that IP as I said:
>
> server1# netstat -n | grep 6667
> tcp4       0      0  xx.xx.xx.xx.64243    195.197.175.21.6667    SYN_SENT

netstat -aAn (specifically, the -A) instructs netstat to prepend each
line with the memory address of the network connection. If you run
that you'll see something like:

f0d710c0 tcp4       0      0  xxx.xxx.xxx.xxx.29 211.119.136.240.66 ESTABLI=
SHED

(sometimes, the port numbers get truncated, so you may have to grep
for the destination IP instead of the port number.)

You can take that address and run fstat | grep address:

$ fstat | grep f0d710c0
www      iroffer    19133    3* internet stream tcp f0d710c0

In this specific case, it's an iroffer program run from some PHP
backdoor someone installed on the server (see
http://malformed.org/2005/11/15/zend-encoder-bad-for-the-internet/ for
a description of the present/near-future of these PHP backdoors). In
your case it may be that you're running suexec or suPHP, or it may not
have been started from the web at all. If that's the case, you may be
able to find out what else is going on by ensuring /proc is mounted
and then run: ps -uxwwep pid:

ps -uxwwep 19133
USER   PID %CPU %MEM   VSZ  RSS  TT  STAT STARTED      TIME COMMAND
www  19133  0.0  0.0  1244  424  ??  S    22Oct05  12:52.03 ...
DOC_ROOT=3D/usr/home/user/websites/domain.com ...

You may also see SCRIPT_FILENAME or PWD or other environment variables
that may give you hints as to where this was started from.

There are some other programs that'll do all this for you, I think
'lsof' is one. I dunno. I prefer to use base system utilities. But to
each their own.

Of course, if the listening process isn't showing up at all, but you
can still connect to the port, then you may have some sort of hacked
kld loaded or hacked ps, in which case the attacker has root, which is
a far more serious situation.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?35c231bf0511161931i371ff97dj6da274892c84619e>