From owner-freebsd-stable  Mon Dec  2 10:53:34 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 15C4D37B401; Mon,  2 Dec 2002 10:53:33 -0800 (PST)
Received: from mtiwmhc11.worldnet.att.net (mtiwmhc11.worldnet.att.net [204.127.131.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 6067143E88; Mon,  2 Dec 2002 10:53:32 -0800 (PST)
	(envelope-from cswiger@mac.com)
Received: from prime ([12.88.90.90]) by mtiwmhc11.worldnet.att.net
          (InterMail vM.5.01.05.12 201-253-122-126-112-20020820) with SMTP
          id <20021202185330.RJMP20682.mtiwmhc11.worldnet.att.net@prime>;
          Mon, 2 Dec 2002 18:53:30 +0000
Message-ID: <009101c29a34$1b96f4d0$0301a8c0@prime>
From: "Charles Swiger" <cswiger@mac.com>
To: <freebsd-stable@FreeBSD.ORG>, <freebsd-security@FreeBSD.ORG>
References: <20021202123616.A33705@klentaq.com>
Subject: Re: psybnc and IRC hack
Date: Mon, 2 Dec 2002 13:53:23 -0500
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

[ This probably belongs on freebsd-security, instead... ]

Wayne M Barnes wrote:
>     How can I best recover from, and defend myself from, a hacker
> who breaks into my system and runs a program called psybnc
> without my permission?  I think he is using my system as a
> front/slave.

Yes.  Unless you installed an IRC bouncer-- or whatever it was being used for--
yourself, it's a safe bet that your machine was hacked.  You haven't identified
much about the system-- OS version, what service was compromised (if you know,
and you should investigate that), as well as form an incident timeline.

The best way to recover is to backup the compromised system, for recovery of
your data and later forensics if you (or your ISP) chooses to investigate
further.

Reinstall the latest version of FreeBSD from a known-good image, possibly using
CVSUP to upgrade to -STABLE or the security branch for your version
(RELENG_4_7?).

Then restore your data (after making sure nothing was compromised...that means
do not copy date, especially executables without checking them against prior
backups).

>     For now, I have killed psybnc, deleted the directory of stuff
> that he put in, and changed my password.  Is that any good?

It's a good starting point, yes, but it certainly isn't sufficient.

>     Can there be a real vaccination built in to FreeBSD?

Yes.  It's easy to compare your system against the software from the OS install
disk; where many people encounter problems is with the changes they've made
afterwards themselves.  How complete are your backups?

-Chuck


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message