From owner-freebsd-stable Mon Dec 2 15:49:51 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A7F9937B401 for ; Mon, 2 Dec 2002 15:49:49 -0800 (PST) Received: from klentaq.com (ip-64-32-219-171.nyc.megapath.net [64.32.219.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 16C3143EC2 for ; Mon, 2 Dec 2002 15:49:49 -0800 (PST) (envelope-from stabilizer@klentaq.com) Received: by klentaq.com (Postfix, from userid 1002) id 57D257E9; Mon, 2 Dec 2002 17:55:05 -0600 (CST) Date: Mon, 2 Dec 2002 17:55:05 -0600 From: Wayne M Barnes To: Charles Swiger Cc: freebsd-stable@freebsd.org Subject: Re: psybnc and IRC hack Message-ID: <20021202175505.A1525@klentaq.com> References: <20021202123616.A33705@klentaq.com> <009101c29a34$1b96f4d0$0301a8c0@prime> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <009101c29a34$1b96f4d0$0301a8c0@prime>; from cswiger@mac.com on Mon, Dec 02, 2002 at 01:53:23PM -0500 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Dear Charles, What is "an IRC bouncer"? Is it something I can use to protect against this hijack of my system? I am running recent FreeBSD 4.7. - Wayne On Mon, Dec 02, 2002 at 01:53:23PM -0500, Charles Swiger wrote: > [ This probably belongs on freebsd-security, instead... ] > > Wayne M Barnes wrote: > > How can I best recover from, and defend myself from, a hacker > > who breaks into my system and runs a program called psybnc > > without my permission? I think he is using my system as a > > front/slave. > > Yes. Unless you installed an IRC bouncer-- or whatever it was being used for-- > yourself, it's a safe bet that your machine was hacked. You haven't identified > much about the system-- OS version, what service was compromised (if you know, > and you should investigate that), as well as form an incident timeline. > > The best way to recover is to backup the compromised system, for recovery of > your data and later forensics if you (or your ISP) chooses to investigate > further. > > Reinstall the latest version of FreeBSD from a known-good image, possibly using > CVSUP to upgrade to -STABLE or the security branch for your version > (RELENG_4_7?). > > Then restore your data (after making sure nothing was compromised...that means > do not copy date, especially executables without checking them against prior > backups). > > > For now, I have killed psybnc, deleted the directory of stuff > > that he put in, and changed my password. Is that any good? > > It's a good starting point, yes, but it certainly isn't sufficient. > > > Can there be a real vaccination built in to FreeBSD? > > Yes. It's easy to compare your system against the software from the OS install > disk; where many people encounter problems is with the changes they've made > afterwards themselves. How complete are your backups? > > -Chuck > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message -- Wayne M Barnes stabilizer@klentaq.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message