Date: Tue, 25 Aug 2009 08:26:04 -0400 From: Bill Moran <wmoran@potentialtech.com> To: Colin Brace <cb@lim.nl> Cc: freebsd-questions@freebsd.org Subject: Re: what www perl script is running? Message-ID: <20090825082604.41cad357.wmoran@potentialtech.com> In-Reply-To: <25132123.post@talk.nabble.com> References: <4A924601.3000507@lim.nl> <200908240807.n7O87o3U092052@banyan.cs.ait.ac.th> <200908241026.55693.j.mckeown@ru.ac.za> <25130058.post@talk.nabble.com> <20090825091937.GA53416@cheddar.urgle.com> <25131646.post@talk.nabble.com> <200908251027.n7PARZBt009994@banyan.cs.ait.ac.th> <25132123.post@talk.nabble.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In response to Colin Brace <cb@lim.nl>: > > Olivier Nicole wrote: > > > >> Am I correct in assuming that my system has been hacked and I am running > >> an > >> IRC server or something? > > > > IRC client at least. And yes, I would think that your system has been > > compromised. > > > > Thanks Olivier. > > I am currently killing the process with the following bash command while I > decide what to do next: > > $ while x=1 ; do sudo killall -9 perl5.8.9 && echo "killed..." ; sleep 15; > done You can add an ipfw rule to prevent the script from calling home, which will effectively render it neutered until you can track down and actually _fix_ the problem. In reality, good security practice says that you should have IPFW (or some other firewall) running and only allowing known good traffic right from the start, which might have protected you from this in the first place. > Is it worth first trying to determine how my system was broken into? Yes. Otherwise you'll probably just get a repeat once you've reinstalled. -- Bill Moran http://www.potentialtech.com http://people.collaborativefusion.com/~wmoran/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090825082604.41cad357.wmoran>