Date: Tue, 25 Aug 2009 14:23:08 +0000 From: Paul Schmehl <pauls@utdallas.edu> To: Ruben de Groot <mail25@bzerk.org>, Mike Bristow <mike@urgle.com> Cc: freebsd-questions@freebsd.org, Colin Brace <cb@lim.nl> Subject: Re: what www perl script is running? Message-ID: <C6E2116C27A8DFB7A8E77898@utd65257.utdallas.edu> In-Reply-To: <20090825094133.GA5644@ei.bzerk.org> References: <4A924601.3000507@lim.nl> <200908240807.n7O87o3U092052@banyan.cs.ait.ac.th> <200908241026.55693.j.mckeown@ru.ac.za> <25130058.post@talk.nabble.com> <20090825091937.GA53416@cheddar.urgle.com> <20090825094133.GA5644@ei.bzerk.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--==========9A9F142983F14CB932C1========== Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline --On Tuesday, August 25, 2009 04:41:33 -0500 Ruben de Groot <mail25@bzerk.org>=20 wrote: > > On Tue, Aug 25, 2009 at 10:19:37AM +0100, Mike Bristow typed: >> On Tue, Aug 25, 2009 at 01:00:53AM -0700, Colin Brace wrote: >> > Ok, here is what lsof tells me: >> > >> > $ sudo lsof | grep perl >> > perl5.8.9 4272 www 3u IPv4 0xc33cf000 0t0 TCP >> > gw:51295->94.102.51.57:afs3-fileserver (ESTABLISHED) >> > >> > The last line would be appear to telling me something, but what? >> >> The script is talking to 94.102.51.57 on port 7000. > > At which port an IRC server is listening: > >> telnet 94.102.51.57 7000 > Trying 94.102.51.57... > Connected to 94.102.51.57. > Escape character is '^]'. > :sampson.dangerz.biz NOTICE AUTH :*** Looking up your hostname... > :sampson.dangerz.biz NOTICE AUTH :*** Couldn't resolve your hostname; using > your IP address instead > And the IRC daemon is screaming "You have been hacked!" You need to get someone who knows about server compromises to help you. Your=20 server has been compromised. If you don't take action now, it will only get=20 worse. --=20 Paul Schmehl (pauls@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ --==========9A9F142983F14CB932C1==========--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C6E2116C27A8DFB7A8E77898>