From owner-freebsd-questions@FreeBSD.ORG Tue Aug 25 14:36:36 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4B3341065690 for ; Tue, 25 Aug 2009 14:36:36 +0000 (UTC) (envelope-from prvs=481bfd290=pschmehl_lists@tx.rr.com) Received: from ip-relay-001.utdallas.edu (ip-relay-001.utdallas.edu [129.110.20.111]) by mx1.freebsd.org (Postfix) with ESMTP id 178F48FC12 for ; Tue, 25 Aug 2009 14:36:35 +0000 (UTC) X-Group: RELAYLIST X-IronPort-AV: E=Sophos;i="4.44,272,1249275600"; d="scan'208";a="16790211" Received: from smtp3.utdallas.edu ([129.110.20.110]) by ip-relay-001.utdallas.edu with ESMTP; 25 Aug 2009 09:36:30 -0500 Received: from utd65257.utdallas.edu (utd65257.utdallas.edu [129.110.3.28]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp3.utdallas.edu (Postfix) with ESMTPSA id 2ABE74E6FE; Tue, 25 Aug 2009 09:36:30 -0500 (CDT) Date: Tue, 25 Aug 2009 14:36:30 +0000 From: Paul Schmehl To: Bill Moran , Colin Brace Message-ID: In-Reply-To: <20090825082604.41cad357.wmoran@potentialtech.com> References: <4A924601.3000507@lim.nl> <200908240807.n7O87o3U092052@banyan.cs.ait.ac.th> <200908241026.55693.j.mckeown@ru.ac.za> <25130058.post@talk.nabble.com> <20090825091937.GA53416@cheddar.urgle.com> <25131646.post@talk.nabble.com> <200908251027.n7PARZBt009994@banyan.cs.ait.ac.th> <25132123.post@talk.nabble.com> <20090825082604.41cad357.wmoran@potentialtech.com> X-Mailer: Mulberry/4.0.6 (Linux/x86) X-Munged-Reply-To: Figure it out MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Cc: freebsd-questions@freebsd.org Subject: Re: what www perl script is running? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Paul Schmehl List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Aug 2009 14:36:36 -0000 --On Tuesday, August 25, 2009 07:26:04 -0500 Bill Moran wrote: >> >> I am currently killing the process with the following bash command while I >> decide what to do next: >> >> $ while x=1 ; do sudo killall -9 perl5.8.9 && echo "killed..." ; sleep 15; >> done > > You can add an ipfw rule to prevent the script from calling home, which > will effectively render it neutered until you can track down and actually > _fix_ the problem. > > In reality, good security practice says that you should have IPFW (or some > other firewall) running and only allowing known good traffic right from > the start, which might have protected you from this in the first place. > I disagree. I used to believe this, but experience has taught me otherwise. When you run a firewall on a host, you open the ports for the services you want to offer. The firewall provides you no protection at all against hackers attacking the services that are listening on ports opened through the firewall. All a host firewall does is consume CPU and memory and give you a warm fuzzy that doesn't really add to security at all and may well make you less vigilant. (And yes, I know I'm a security heretic in some quarters.) Firewalls are much more effective when they're not on the box(es) you're trying to protect. I think it's highly likely that this compromise was through the web server attacking a vulnerable service or a poorly coded script or a permissions problem. And it sounds like the compromise is limited (right now) to the web service. In fact it sounds a great deal like PsyBNC. http://en.wikipedia.org/wiki/PsyBNC >> Is it worth first trying to determine how my system was broken into? > > Yes. Otherwise you'll probably just get a repeat once you've reinstalled. > You're absolutely correct. The old aphorism about always doing what you've always done always produces the results you've always gotten certainly applies here. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson