From owner-freebsd-questions@FreeBSD.ORG Thu Nov 17 05:42:29 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9817B16A41F for ; Thu, 17 Nov 2005 05:42:29 +0000 (GMT) (envelope-from mark@mkproductions.org) Received: from ylpvm43.prodigy.net (ylpvm43-ext.prodigy.net [207.115.57.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1C99D43D45 for ; Thu, 17 Nov 2005 05:42:28 +0000 (GMT) (envelope-from mark@mkproductions.org) Received: from pimout3-ext.prodigy.net (pimout3-int.prodigy.net [207.115.4.218]) by ylpvm43.prodigy.net (8.12.10 outbound/8.12.10) with ESMTP id jAH5gV2E030598 for ; Thu, 17 Nov 2005 00:42:32 -0500 X-ORBL: [68.89.209.57] Received: from [192.168.1.25] (68-89-209-57.ded.swbell.net [68.89.209.57]) by pimout3-ext.prodigy.net (8.13.4 outbound domainkey aix/8.13.4) with ESMTP id jAH5gMv5161286; Thu, 17 Nov 2005 00:42:27 -0500 Message-ID: <437C183E.5020802@mkproductions.org> Date: Wed, 16 Nov 2005 23:42:22 -0600 From: Mark Kane User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051110) X-Accept-Language: en-us, en MIME-Version: 1.0 To: David Kirchner References: <20051117011640.27963.qmail@web51612.mail.yahoo.com> <437BED9F.6010703@mkproductions.org> <35c231bf0511161931i371ff97dj6da274892c84619e@mail.gmail.com> In-Reply-To: <35c231bf0511161931i371ff97dj6da274892c84619e@mail.gmail.com> X-Enigmail-Version: 0.93.0.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig3CDEC8C3480B9568FB733B5E" Cc: freebsd-questions@freebsd.org Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2005 05:42:29 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig3CDEC8C3480B9568FB733B5E Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit David Kirchner wrote: > On 11/16/05, Mark Kane wrote: > >>I also see a psyBNC server listening on port 7978: >> >>server# sockstat -l4 | grep psybnc >>USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS >>wicked6 psybnc 15819 3 tcp4 *:7978 *:* >> >>Funny thing is there is no process by wicked6 (or by anyone currently) >>called "psybnc". I can connect to an IP on that server on port 7978 and >>get a psyBNC though. I've checked for other processes by wicked6, nothing. > > > It's very common for them to overwrite argv[0], or use setproctitle > stuff to hide the real name of the program. Some programs don't read > that -- sockstat and top are two that don't read the modified program > name. > > >>It's trying to make a connection on 6667 to that IP as I said: >> >>server1# netstat -n | grep 6667 >>tcp4 0 0 xx.xx.xx.xx.64243 195.197.175.21.6667 SYN_SENT > > > netstat -aAn (specifically, the -A) instructs netstat to prepend each > line with the memory address of the network connection. If you run > that you'll see something like: > > f0d710c0 tcp4 0 0 xxx.xxx.xxx.xxx.29 211.119.136.240.66 ESTABLISHED > > (sometimes, the port numbers get truncated, so you may have to grep > for the destination IP instead of the port number.) > > You can take that address and run fstat | grep address: > > $ fstat | grep f0d710c0 > www iroffer 19133 3* internet stream tcp f0d710c0 > > In this specific case, it's an iroffer program run from some PHP > backdoor someone installed on the server (see > http://malformed.org/2005/11/15/zend-encoder-bad-for-the-internet/ for > a description of the present/near-future of these PHP backdoors). In > your case it may be that you're running suexec or suPHP, or it may not > have been started from the web at all. If that's the case, you may be > able to find out what else is going on by ensuring /proc is mounted > and then run: ps -uxwwep pid: > > ps -uxwwep 19133 > USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND > www 19133 0.0 0.0 1244 424 ?? S 22Oct05 12:52.03 ... > DOC_ROOT=/usr/home/user/websites/domain.com ... > > You may also see SCRIPT_FILENAME or PWD or other environment variables > that may give you hints as to where this was started from. > > There are some other programs that'll do all this for you, I think > 'lsof' is one. I dunno. I prefer to use base system utilities. But to > each their own. > > Of course, if the listening process isn't showing up at all, but you > can still connect to the port, then you may have some sort of hacked > kld loaded or hacked ps, in which case the attacker has root, which is > a far more serious situation. Okay well I looked around some more now and found it. It was in /var/tmp/.packlist.0928456/ and it was showing up as "[psybnc]" (wasn't there before). A kill -9 got rid of it. I'm now grepping to try to find out what may have created that or launched it. Thanks -Mark -- GnuPG Public Key: http://www.mkproductions.org/mk_pubkey.asc Internet Radio: Party107 (Trance/Electronic) - http://www.party107.com Rock 101.9 The Edge (Rock) - http://www.rock1019.net IRC: MIXXnet IRC Network - irc.mixxnet.net (Nick: MIXX941) --------------enig3CDEC8C3480B9568FB733B5E Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDfBg+lH2ybcmj7I8RAupFAJ4jTUy+ekVHYgTQ1uvGuIF1B8qYHACgo1Jz k/T+ty8XEo+j4ftvwa8tojA= =L2cV -----END PGP SIGNATURE----- --------------enig3CDEC8C3480B9568FB733B5E--