From owner-freebsd-questions@FreeBSD.ORG Sun Aug 12 00:21:04 2007 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8ED8616A418 for ; Sun, 12 Aug 2007 00:21:04 +0000 (UTC) (envelope-from hakmi@rogers.com) Received: from smtp108.rog.mail.re2.yahoo.com (smtp108.rog.mail.re2.yahoo.com [68.142.225.206]) by mx1.freebsd.org (Postfix) with SMTP id 1015D13C467 for ; Sun, 12 Aug 2007 00:21:02 +0000 (UTC) (envelope-from hakmi@rogers.com) Received: (qmail 71416 invoked from network); 11 Aug 2007 23:54:22 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=rogers.com; h=Received:X-YMail-OSG:From:To:References:Subject:Date:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:X-Mailer:Thread-Index:X-MimeOLE:In-Reply-To; b=ayIGcdzVIL4A4rnVWB74a8PG2TU3Za220T9vZxVQvocQY/Asei096jGwOBLcUrs5VxPqjCX2iWD7lGgQnGiGv9tkUHvD4480ntzALn0Ex0SiDRKTugwRSQuViqhckcTc+ApXjd7L/pXKoWMeWy4ZlLljXlD5FwQTkz04F8yckYM= ; Received: from unknown (HELO tamouh) (hakmi@rogers.com@74.104.205.212 with login) by smtp108.rog.mail.re2.yahoo.com with SMTP; 11 Aug 2007 23:54:22 -0000 X-YMail-OSG: Km4HdjsVM1kTeGw8sN55S3l8h.o580n72ajJOh28rFzXcutNNZYGVz1_am72LyNWJQ-- From: "Tamouh H." To: "'Brent'" , References: <20070811110231.M84490@bmyster.com> Date: Sat, 11 Aug 2007 19:54:30 -0400 Message-ID: <106401c7dc72$f812c2b0$6700a8c0@tamouh> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook 11 Thread-Index: AcfcC1FLCfXlSrGyTx+VkGFH4U5lOgAZ1lZQ X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138 In-Reply-To: <20070811110231.M84490@bmyster.com> Cc: Subject: RE: server was hacked X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Aug 2007 00:21:04 -0000 =20 > -----Original Message----- > From: owner-freebsd-questions@freebsd.org=20 > [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Brent > Sent: August 11, 2007 7:21 AM > To: questions@freebsd.org > Subject: server was hacked >=20 > Im running FBSD 5.4 as a web server the server is behind a=20 > cisco firewall /router and the server has alot of CMS jumila=20 > / mambo sites on it. I noticed that when i ran sockstat i was=20 > seeing multiple IPs connected to high ports on the server=20 > with a process id of "psybnc" . Did some looking around &=20 > found that this is a IRC relay program that was installed=20 > through a compromised mambo site. after getting rid of the=20 > program I changed our router to disallow this type of=20 > traffic..& started trying to fix the box. Im pretty sure that=20 > root wasnt compromised but im going to re-install anyway. my=20 > question has anyone run into this problem with CMS sites, HOw=20 > excatly are they getting in ? > what are the things I can do to prevent this. On FBSD how do=20 > you checksum binaries on the system to ensure someone hasnt=20 > replaced one with there own binary. >=20 > thank you...and & all help is greatly appreciated >=20 >=20 > -- > Brent=20 >=20 Just an advise in the future if you're running Apache, use mod_security = to protect you from similar hackings (need to update the rules every now = and then to stay on top of things): http://www.modsecurity.org/ you'll also find sample rules at: = www.gotroot.com Tamouh