From owner-freebsd-questions@FreeBSD.ORG Tue Aug 25 13:16:50 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9629F106568B for ; Tue, 25 Aug 2009 13:16:50 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from kuber.nabble.com (kuber.nabble.com [216.139.236.158]) by mx1.freebsd.org (Postfix) with ESMTP id 6B5438FC21 for ; Tue, 25 Aug 2009 13:16:50 +0000 (UTC) Received: from isper.nabble.com ([192.168.236.156]) by kuber.nabble.com with esmtp (Exim 4.63) (envelope-from ) id 1MfvtJ-0005Jm-Fx for freebsd-questions@freebsd.org; Tue, 25 Aug 2009 06:16:49 -0700 Message-ID: <25134056.post@talk.nabble.com> Date: Tue, 25 Aug 2009 06:16:49 -0700 (PDT) From: Colin Brace To: freebsd-questions@freebsd.org In-Reply-To: <20090825082604.41cad357.wmoran@potentialtech.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-From: cb@lim.nl References: <4A924601.3000507@lim.nl> <200908240807.n7O87o3U092052@banyan.cs.ait.ac.th> <200908241026.55693.j.mckeown@ru.ac.za> <25130058.post@talk.nabble.com> <20090825091937.GA53416@cheddar.urgle.com> <25131646.post@talk.nabble.com> <200908251027.n7PARZBt009994@banyan.cs.ait.ac.th> <25132123.post@talk.nabble.com> <20090825082604.41cad357.wmoran@potentialtech.com> Subject: Re: what www perl script is running? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Aug 2009 13:16:50 -0000 Bill Moran wrote: > > You can add an ipfw rule to prevent the script from calling home, which > will effectively render it neutered until you can track down and actually > _fix_ the problem. > > In reality, good security practice says that you should have IPFW (or some > other firewall) running and only allowing known good traffic right from > the start, which might have protected you from this in the first place. > Bill, I am surprised you would think I have no firewall. As long as I have had the server (2 years), I have had PF installed and running, and I can tell you exactly which incoming ports I have open to the net: tcp_services = "{ ssh smtp www https 4661 4662 52550 }" the last three are for edonkey and bittorrent, resp. c'est tout. There are no *obvious* weaknesses, ie, ssh is private-key only. That being said, I leave the WiFi open to everyone, with the following ports available: wifi_tcp_services = "{ ftp ssh bootps whois domain www imap imaps ntp irc https sunrpc dict nfs 2628 3689 4711 6667 6909 23398}" Should I entertain the possiblity that someone parked their car near my house and hacked in through one of the above ports? Any suggestions as to where to start looking for the breach would be most welcome; I am quite new to this game. Thanks. ----- Colin Brace Amsterdam http://lim.nl -- View this message in context: http://www.nabble.com/what-www-perl-script-is-running--tp25112050p25134056.html Sent from the freebsd-questions mailing list archive at Nabble.com.