From owner-freebsd-questions@FreeBSD.ORG Tue Aug 25 13:50:05 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5222B106568B for ; Tue, 25 Aug 2009 13:50:05 +0000 (UTC) (envelope-from mail25@bzerk.org) Received: from ei.bzerk.org (tunnel490.ipv6.xs4all.nl [IPv6:2001:888:10:1ea::2]) by mx1.freebsd.org (Postfix) with ESMTP id B833C8FC2B for ; Tue, 25 Aug 2009 13:50:04 +0000 (UTC) Received: from ei.bzerk.org (BOFH@localhost [127.0.0.1]) by ei.bzerk.org (8.14.2/8.14.2) with ESMTP id n7PDo0nH007032; Tue, 25 Aug 2009 15:50:00 +0200 (CEST) (envelope-from mail25@bzerk.org) Received: (from bulk@localhost) by ei.bzerk.org (8.14.2/8.14.2/Submit) id n7PDo0cP007024; Tue, 25 Aug 2009 15:50:00 +0200 (CEST) (envelope-from mail25@bzerk.org) Date: Tue, 25 Aug 2009 15:50:00 +0200 From: Ruben de Groot To: Colin Brace Message-ID: <20090825135000.GB6871@ei.bzerk.org> Mail-Followup-To: Ruben de Groot , Colin Brace , freebsd-questions@freebsd.org References: <4A924601.3000507@lim.nl> <200908240807.n7O87o3U092052@banyan.cs.ait.ac.th> <200908241026.55693.j.mckeown@ru.ac.za> <25130058.post@talk.nabble.com> <20090825091937.GA53416@cheddar.urgle.com> <25131646.post@talk.nabble.com> <200908251027.n7PARZBt009994@banyan.cs.ait.ac.th> <25132123.post@talk.nabble.com> <20090825082604.41cad357.wmoran@potentialtech.com> <25134277.post@talk.nabble.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <25134277.post@talk.nabble.com> User-Agent: Mutt/1.4.2.3i X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on ei.bzerk.org X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0.1 (ei.bzerk.org [127.0.0.1]); Tue, 25 Aug 2009 15:50:03 +0200 (CEST) Cc: freebsd-questions@freebsd.org Subject: Re: what www perl script is running? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Aug 2009 13:50:05 -0000 On Tue, Aug 25, 2009 at 06:30:17AM -0700, Colin Brace typed: > > Bill, one more thing: > > > Bill Moran wrote: > > > > You can add an ipfw rule to prevent the script from calling home, which > > will effectively render it neutered until you can track down and actually > > _fix_ the problem. > > Mike Bristow above wrote: "The script is talking to 94.102.51.57 on port > 7000". OK, so I how do I know what port the script is using for outgoing > traffic on MY box? 7000 is the remote host port, right? gw:51295->94.102.51.57:afs3-fileserver (ESTABLISHED) It's using local port 51295. But that's irrelevant as ports for outgoing connections are dynamically allocated. > FWIW, here are my core PF lines: > > pass out quick on $ext_if proto 41 > pass out quick on gif0 inet6 > pass in quick on gif0 inet6 proto icmp6 > block in log > > That is to say: nothing is allowed in unless explicitly allowed > Everything allowed out. Which is exactly what the rogue perl script was using to connect to it's "home". Once established this connection could have been used for allmost anything, including downloading other malicious software or setting up a tunnel into your LAN. Ruben