Date: Tue, 25 Aug 2009 15:50:00 +0200 From: Ruben de Groot <mail25@bzerk.org> To: Colin Brace <cb@lim.nl> Cc: freebsd-questions@freebsd.org Subject: Re: what www perl script is running? Message-ID: <20090825135000.GB6871@ei.bzerk.org> In-Reply-To: <25134277.post@talk.nabble.com> References: <4A924601.3000507@lim.nl> <200908240807.n7O87o3U092052@banyan.cs.ait.ac.th> <200908241026.55693.j.mckeown@ru.ac.za> <25130058.post@talk.nabble.com> <20090825091937.GA53416@cheddar.urgle.com> <25131646.post@talk.nabble.com> <200908251027.n7PARZBt009994@banyan.cs.ait.ac.th> <25132123.post@talk.nabble.com> <20090825082604.41cad357.wmoran@potentialtech.com> <25134277.post@talk.nabble.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Aug 25, 2009 at 06:30:17AM -0700, Colin Brace typed: > > Bill, one more thing: > > > Bill Moran wrote: > > > > You can add an ipfw rule to prevent the script from calling home, which > > will effectively render it neutered until you can track down and actually > > _fix_ the problem. > > Mike Bristow above wrote: "The script is talking to 94.102.51.57 on port > 7000". OK, so I how do I know what port the script is using for outgoing > traffic on MY box? 7000 is the remote host port, right? gw:51295->94.102.51.57:afs3-fileserver (ESTABLISHED) It's using local port 51295. But that's irrelevant as ports for outgoing connections are dynamically allocated. > FWIW, here are my core PF lines: > > pass out quick on $ext_if proto 41 > pass out quick on gif0 inet6 > pass in quick on gif0 inet6 proto icmp6 > block in log > > That is to say: nothing is allowed in unless explicitly allowed > Everything allowed out. Which is exactly what the rogue perl script was using to connect to it's "home". Once established this connection could have been used for allmost anything, including downloading other malicious software or setting up a tunnel into your LAN. Ruben
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090825135000.GB6871>