From owner-freebsd-questions@FreeBSD.ORG Tue Aug 25 13:43:00 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B0412106568B for ; Tue, 25 Aug 2009 13:43:00 +0000 (UTC) (envelope-from mail25@bzerk.org) Received: from ei.bzerk.org (tunnel490.ipv6.xs4all.nl [IPv6:2001:888:10:1ea::2]) by mx1.freebsd.org (Postfix) with ESMTP id 210F68FC32 for ; Tue, 25 Aug 2009 13:42:59 +0000 (UTC) Received: from ei.bzerk.org (BOFH@localhost [127.0.0.1]) by ei.bzerk.org (8.14.2/8.14.2) with ESMTP id n7PDgplH006979; Tue, 25 Aug 2009 15:42:51 +0200 (CEST) (envelope-from mail25@bzerk.org) Received: (from bulk@localhost) by ei.bzerk.org (8.14.2/8.14.2/Submit) id n7PDgpoQ006978; Tue, 25 Aug 2009 15:42:51 +0200 (CEST) (envelope-from mail25@bzerk.org) Date: Tue, 25 Aug 2009 15:42:50 +0200 From: Ruben de Groot To: Colin Brace Message-ID: <20090825134250.GA6871@ei.bzerk.org> Mail-Followup-To: Ruben de Groot , Colin Brace , freebsd-questions@freebsd.org References: <4A924601.3000507@lim.nl> <200908240807.n7O87o3U092052@banyan.cs.ait.ac.th> <200908241026.55693.j.mckeown@ru.ac.za> <25130058.post@talk.nabble.com> <20090825091937.GA53416@cheddar.urgle.com> <25131646.post@talk.nabble.com> <200908251027.n7PARZBt009994@banyan.cs.ait.ac.th> <25132123.post@talk.nabble.com> <20090825082604.41cad357.wmoran@potentialtech.com> <25134056.post@talk.nabble.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <25134056.post@talk.nabble.com> User-Agent: Mutt/1.4.2.3i X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on ei.bzerk.org X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0.1 (ei.bzerk.org [127.0.0.1]); Tue, 25 Aug 2009 15:42:58 +0200 (CEST) Cc: freebsd-questions@freebsd.org Subject: Re: what www perl script is running? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Aug 2009 13:43:00 -0000 On Tue, Aug 25, 2009 at 06:16:49AM -0700, Colin Brace typed: > > > Bill Moran wrote: > > > > You can add an ipfw rule to prevent the script from calling home, which > > will effectively render it neutered until you can track down and actually > > _fix_ the problem. > > > > In reality, good security practice says that you should have IPFW (or some > > other firewall) running and only allowing known good traffic right from > > the start, which might have protected you from this in the first place. > > > > Bill, > > I am surprised you would think I have no firewall. As long as I have had the > server (2 years), I have had PF installed and running, and I can tell you > exactly which incoming ports I have open to the net: > > tcp_services = "{ ssh smtp www https 4661 4662 52550 }" But are you blocking any outgoing traffic? > wifi_tcp_services = "{ ftp ssh bootps whois domain www imap imaps ntp irc > https sunrpc dict nfs 2628 3689 4711 6667 6909 23398}" > > Should I entertain the possiblity that someone parked their car near my > house and hacked in through one of the above ports? That's certainly possibly. But not my first guess. > Any suggestions as to where to start looking for the breach would be most > welcome; I am quite new to this game. My guess (not much more than that) is that someone used a vulnerable web page, maybe some perl or php application that was exploitable. This because the rogue process was running as user "www". Try a find through the entire filesystem for files owned by this user that you can't account for. Also check your cron and at files under /var/cron and /var/at And try to find out what's starting the proces whith ps -alx, tracking the PPIDs. gooed hunting!