From owner-freebsd-questions@FreeBSD.ORG Thu Jun 23 23:07:03 2005 Return-Path: X-Original-To: FreeBSD-questions@FreeBSD.org Delivered-To: FreeBSD-questions@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1453216A41C for ; Thu, 23 Jun 2005 23:07:03 +0000 (GMT) (envelope-from ruben@bloemgarten.demon.nl) Received: from post-23.mail.nl.demon.net (post-23.mail.nl.demon.net [194.159.73.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id B4E7743D4C for ; Thu, 23 Jun 2005 23:07:02 +0000 (GMT) (envelope-from ruben@bloemgarten.demon.nl) Received: from axelds.demon.nl ([83.160.138.74]:59046 helo=abubbletprpdda) by post-23.mail.nl.demon.net with esmtp (Exim 4.43) id 1Dlamj-000A1o-IN; Thu, 23 Jun 2005 23:07:01 +0000 From: "Ruben Bloemgarten" To: "'Chuck Swiger'" Date: Fri, 24 Jun 2005 01:06:59 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1250" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 Thread-index: AcV4GK3HFQvcEEimTomRIYTAGdMnIwAKanVw In-Reply-To: <42BAF0BF.8000200@mac.com> Message-Id: <20050623230702.B4E7743D4C@mx1.FreeBSD.org> Cc: FreeBSD-questions@FreeBSD.org Subject: RE: stat running as www weirdness - genarting INCOMING traffic X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: ruben@bloemgarten.demon.nl List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jun 2005 23:07:03 -0000 After I stopped being lazy ( my sincere apologies) and a little = backtracking I realized I had been seriously compromised. A cronjob had been installed in /var/tmp/httpd.cron This contained the following disturbing files : drwxr-xr-x 3 www wheel 512B Jun 23 23:30 ../ -rw-r--r-- 1 www wheel 327M Jun 22 09:46 my.summer.of.love.2005.italian.md.ts.xvid-mcf.avi drwxr-xr-x 4 www wheel 1.0K Jun 22 06:31 ./ -rw-r--r-- 1 www wheel 482M Jun 21 22:39 My.SuMMer.Of.LoVe.2005.iTaLiaN.MD.TS.XviD-MCF.avi -rw-r--r-- 1 www wheel 1.1K Jun 21 07:08 Infodll.state -rw-r--r-- 1 www wheel 1.1K Jun 21 07:05 Infodll.state~ -rw-r--r-- 1 www wheel 0B Jun 19 16:54 PROFONDO_BLU_.avi -rw-r--r-- 1 www wheel 6.0K Jun 16 01:05 README.txt -rw-r--r-- 1 www wheel 1.5K Jun 12 21:46 httpd.cron -rwxr-xr-x 1 www wheel 207K Jun 10 18:52 stat* drwxr-xr-x 2 www wheel 512B Jun 10 18:52 obj/ -rwxr-xr-x 1 www wheel 59.8K Jun 10 18:51 convertxdccfile* -rw-r--r-- 1 www wheel 4.2K Jun 10 18:51 Makefile drwxr-xr-x 2 www wheel 512B Jun 10 18:51 src/ -r--r--r-- 1 www wheel 22.6K Jan 17 00:17 sample.config -r--r--r-- 1 www wheel 15.6K Jan 17 00:17 COPYING -r--r--r-- 1 www wheel 23.0K Jan 17 00:17 WHATSNEW -r--r--r-- 1 www wheel 4.0K Jan 17 00:17 Makefile.config -r-xr-xr-x 1 www wheel 28.5K Jan 17 00:17 Configure* -r-xr-xr-x 1 www wheel 857B Jan 17 00:17 iroffer.cron* -r-xr-xr-x 1 www wheel 942B Jan 17 00:17 dynip.sh* -r--r--r-- 1 www wheel 5.0K Jan 17 00:17 README -rw-r--r-- 1 www wheel 15B Jan 17 00:17 .cset_number Iroffer had been installed http://iroffer.org/ The cronjob did the following : more httpd.cron ################### Logging ################# #pidfile Infodll.pid #logfile Infodll.log logstats no logrotate weekly statefile Infodll.state ########################################### #################### Connessione ############# connectionmethod direct server 66.225.223.54 6666 server 66.225.223.54 6669 server 66.225.223.54 6667 channel #Eternity -key otis channel #Eternity.staff -key otis user_realname ETE user_modes +ix loginname ETE tcprangestart 4000 #usenatip 195.41.47.74 ########################################### #################### Slot e Code ############## slotsmax 15 queuesize 25 nickserv_pass beatat maxtransfersperperson 1 maxqueueditemsperperson 1 restrictlist yes restrictsend yes #restrictprivlist yes ############################################ ##################### Headline ################ creditline ^C14\ \^C15^B Staff f0r #Eternity ^C14\\^B^C headline ^C14\ \^C15^B Staff f0r #Eternity ^C14\\^B^C ############################################ ############# Adminhost e download ############### adminhost *!*@Eternity.Staff adminhost *!*@Eternity.Staff adminhost *!*@*Eternity.Staff* uploadhost *!*@* downloadhost *!*@*.* downloadhost *!*@* #firewall yes hideos yes ############################################# ################ QUI VA ADMINPASS ############## adminpass pYiNmgVwHKZHE ############################################## ####### RUNTIME ADDED ####### filedir /var/tmp/cron/httpd uploaddir /var/tmp/cron/httpd user_nick ETE|DivX-01 Using dynip to advertise my box . Aaaargh !=20 Thanks for the help anyway. Regards,=20 Ruben -----Original Message----- From: Chuck Swiger [mailto:cswiger@mac.com]=20 Sent: June 23, 2005 7:26 PM To: ruben@bloemgarten.demon.nl Cc: FreeBSD-questions@FreeBSD.org Subject: Re: stat running as www weirdness - genarting INCOMING traffic Ruben Bloemgarten wrote: > I=92m seeing weirdness of stat opening up port 4000+ and generating/receiving > enormous amounts of incoming traffic i.e. 400Gb over a 24hour time > period.Does this sound familiar to anyone ? Thanks for any brain usage = not > my own. Insufficient data. From which port(s) to which port(s), and are the IP=20 addresses on the other side the same or a random range (which would = imply your=20 machine has been hacked and is scanning outwards). Showing a tcpdump of a few example connections would be really useful. --=20 -Chuck --=20 No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.7.11/26 - Release Date: = 06/22/2005 --=20 No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.7.11/26 - Release Date: = 06/22/2005 =20 --=20 No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.7.11/26 - Release Date: = 06/22/2005 =20