From owner-freebsd-security@FreeBSD.ORG Thu Nov 17 04:55:29 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5DD5B16A41F for ; Thu, 17 Nov 2005 04:55:29 +0000 (GMT) (envelope-from bill@ethernext.com) Received: from w15.irbs.net (w15.irbs.net [205.237.194.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id 12D8B43D45 for ; Thu, 17 Nov 2005 04:55:28 +0000 (GMT) (envelope-from bill@ethernext.com) Received: from pit.carracing.com (pit.carracing.com [205.237.198.13]) by webmail.tuffmail.net (Horde MIME library) with HTTP for ; Wed, 16 Nov 2005 23:55:27 -0500 Message-ID: <20051116235527.4okakp84gk40osco@webmail.tuffmail.net> Date: Wed, 16 Nov 2005 23:55:27 -0500 From: Bill Desjardins To: freebsd-security@freebsd.org References: <20051117012552.46503.qmail@web51607.mail.yahoo.com> In-Reply-To: <20051117012552.46503.qmail@web51607.mail.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.0.3) X-Mailman-Approved-At: Thu, 17 Nov 2005 05:50:32 +0000 Cc: Mark Jayson Alvarez Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2005 04:55:29 -0000 Mark, before going too nuts with trying to locate how they got in, let me ask, are you running a webserver on this server and any websites? take a look in /tmp, /var/tmp and do a find for any directories which have 777 perms like uucppublic in /var. if so, are they owned by the web user? I have seen many IRC bots installed from poorly written php and perl programs into /tmp and such which are then run via the same security holes that allowed them to be installed. these programs can only be run on high port numbers and are owned by the webserver owner. 99 of 100 are usually IRC bots as well. another thing to look for is if they installed a cron job for the web user which re-downloads the files if they are deleted. you can disable cron for www and is reccomended. I have seen these tactics more and more lately and the amount of bad 3rd party code used by my users doesnt help at all. HTH, Bill -- Bill Desjardins d: 305.205.8644 EtherneXt.com - Managed Colocation & Bandwidth bill@ethernext.com Phone: 305.373.5960 Quoting Mark Jayson Alvarez : > Good Day! > > I think we have a serious problem. One of our old > server running FreeBSD 4.9 have been compromised and > is now connected to an ircd server.. > 195.204.1.132.6667 ESTABLISHED > > However, we still haven't brought the server down in > an attempt to track the intruder down. Right now we > are clueless as to what we need to do.. > Most of our servers are running legacy operating > systems(old versions mostly freebsd) Also, that > particular server is running - ProFTPD Version 1.2.4 > which someone have suggested to have a known > vulnerability.. > > I really need all the help I can get as the > administration of those servers where just transferred > to us by former admins. The server is used for ftp. > > Thanks.. > > > > > __________________________________ > Yahoo! Mail - PC Magazine Editors' Choice 2005 > http://mail.yahoo.com > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > >