From owner-freebsd-questions@FreeBSD.ORG  Thu Nov 17 16:43:21 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: questions@freebsd.org
Delivered-To: freebsd-questions@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7F0AA16A420
	for <questions@freebsd.org>; Thu, 17 Nov 2005 16:43:21 +0000 (GMT)
	(envelope-from pauls@utdallas.edu)
Received: from smtp1.utdallas.edu (smtp1.utdallas.edu [129.110.10.12])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 927CA43D60
	for <questions@freebsd.org>; Thu, 17 Nov 2005 16:43:20 +0000 (GMT)
	(envelope-from pauls@utdallas.edu)
Received: from utd59514.utdallas.edu (utd59514.utdallas.edu [129.110.3.28])
	by smtp1.utdallas.edu (Postfix) with ESMTP id 35CC03890D7;
	Thu, 17 Nov 2005 10:43:20 -0600 (CST)
Date: Thu, 17 Nov 2005 10:43:20 -0600
From: Paul Schmehl <pauls@utdallas.edu>
To: Steve Bertrand <iaccounts@ibctech.ca>,
	'Mark Jayson Alvarez' <jay2xra@yahoo.com>
Message-ID: <8BFD83D4B5B560BBB38AC886@utd59514.utdallas.edu>
In-Reply-To: <20051117013004.CBEA243D45@mx1.FreeBSD.org>
References: <20051117013004.CBEA243D45@mx1.FreeBSD.org>
X-Mailer: Mulberry/3.1.6 (Linux/x86)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Cc: 'FreeBSD Questions' <questions@freebsd.org>
Subject: RE: Need urgent help regarding security
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Nov 2005 16:43:21 -0000

--On Wednesday, November 16, 2005 20:29:55 -0500 Steve Bertrand 
<iaccounts@ibctech.ca> wrote:

>
>> I think we have a serious problem. One of our old server
>> running FreeBSD 4.9 have been compromised and is now
>> connected to an ircd server..
>> 195.204.1.132.6667     ESTABLISHED
>
> Ran into this recently. Please post the entire output from:
>
># top
># w
># last
># ps -aux
># uname -a
>
Just keep in mind that any or all of these could be hacked versions 
designed to hide everything the attacker is doing.

Once a box has been hacked, you can no longer trust any of the binaries 
unless you can verify their integrity with MD5 sums from the same binaries 
on a known good box.

Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/