Date: Sat, 11 Aug 2007 19:54:30 -0400 From: "Tamouh H." <hakmi@rogers.com> To: "'Brent'" <mrb@bmyster.com>, <questions@freebsd.org> Subject: RE: server was hacked Message-ID: <106401c7dc72$f812c2b0$6700a8c0@tamouh> In-Reply-To: <20070811110231.M84490@bmyster.com> References: <20070811110231.M84490@bmyster.com>
next in thread | previous in thread | raw e-mail | index | archive | help
=20 > -----Original Message----- > From: owner-freebsd-questions@freebsd.org=20 > [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Brent > Sent: August 11, 2007 7:21 AM > To: questions@freebsd.org > Subject: server was hacked >=20 > Im running FBSD 5.4 as a web server the server is behind a=20 > cisco firewall /router and the server has alot of CMS jumila=20 > / mambo sites on it. I noticed that when i ran sockstat i was=20 > seeing multiple IPs connected to high ports on the server=20 > with a process id of "psybnc" . Did some looking around &=20 > found that this is a IRC relay program that was installed=20 > through a compromised mambo site. after getting rid of the=20 > program I changed our router to disallow this type of=20 > traffic..& started trying to fix the box. Im pretty sure that=20 > root wasnt compromised but im going to re-install anyway. my=20 > question has anyone run into this problem with CMS sites, HOw=20 > excatly are they getting in ? > what are the things I can do to prevent this. On FBSD how do=20 > you checksum binaries on the system to ensure someone hasnt=20 > replaced one with there own binary. >=20 > thank you...and & all help is greatly appreciated >=20 >=20 > -- > Brent=20 >=20 Just an advise in the future if you're running Apache, use mod_security = to protect you from similar hackings (need to update the rules every now = and then to stay on top of things): http://www.modsecurity.org/ you'll also find sample rules at: = www.gotroot.com Tamouh
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?106401c7dc72$f812c2b0$6700a8c0>