From owner-freebsd-security@FreeBSD.ORG Thu Nov 17 16:58:23 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EAD2316A41F for ; Thu, 17 Nov 2005 16:58:23 +0000 (GMT) (envelope-from johan@ircnet.se) Received: from laforge.skip.informatik.gu.se (laforge.skip.informatik.gu.se [130.241.143.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 82DB043D45 for ; Thu, 17 Nov 2005 16:58:23 +0000 (GMT) (envelope-from johan@ircnet.se) Received: from [192.168.0.10] (argus.vry.sgsnet.se [193.11.234.229]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by laforge.skip.informatik.gu.se (Postfix) with ESMTP id 9DABF36A282; Thu, 17 Nov 2005 16:58:30 +0000 (UTC) In-Reply-To: <20051117012552.46503.qmail@web51607.mail.yahoo.com> References: <20051117012552.46503.qmail@web51607.mail.yahoo.com> Mime-Version: 1.0 (Apple Message framework v746.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Johan Berg Date: Thu, 17 Nov 2005 17:58:04 +0100 To: Mark Jayson Alvarez X-Pgp-Agent: GPGMail 1.1.1 (Tiger) X-Gpgmail-State: signed X-Mailer: Apple Mail (2.746.2) Cc: freebsd-security@freebsd.org Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2005 16:58:24 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Check the system with rkhunter to see if there were any changes to some files or any known rootkit installed. You can find rkhunter in /usr/ports/security/rkhunter Try to the following: rkhunter --update && rkhunter --checkall 17 nov 2005 kl. 02.25 Mark Jayson Alvarez wrote: > Good Day! > > I think we have a serious problem. One of our old > server running FreeBSD 4.9 have been compromised and > is now connected to an ircd server.. > 195.204.1.132.6667 ESTABLISHED > > However, we still haven't brought the server down in > an attempt to track the intruder down. Right now we > are clueless as to what we need to do.. > Most of our servers are running legacy operating > systems(old versions mostly freebsd) Also, that > particular server is running - ProFTPD Version 1.2.4 > which someone have suggested to have a known > vulnerability.. > > I really need all the help I can get as the > administration of those servers where just transferred > to us by former admins. The server is used for ftp. > > Thanks.. > > > > > __________________________________ > Yahoo! Mail - PC Magazine Editors' Choice 2005 > http://mail.yahoo.com > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security- > unsubscribe@freebsd.org" -- Johan Berg -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (Darwin) iD8DBQFDfLapSVaw+q1ufCYRAh7BAJ93lVecTx72JQnY8IiW3L5D8ineMwCfTZbm dY+/9ukhbXIF9r/5krcxSZ4= =sjjs -----END PGP SIGNATURE-----