From owner-freebsd-questions@FreeBSD.ORG Tue Aug 25 14:51:47 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F06B8106568D for ; Tue, 25 Aug 2009 14:51:47 +0000 (UTC) (envelope-from prvs=481321b54=pauls@utdallas.edu) Received: from ip-relay-002.utdallas.edu (ip-relay-002.utdallas.edu [129.110.20.112]) by mx1.freebsd.org (Postfix) with ESMTP id A36718FC27 for ; Tue, 25 Aug 2009 14:51:47 +0000 (UTC) X-Group: RELAYLIST X-IronPort-AV: E=Sophos;i="4.44,272,1249275600"; d="scan'208";a="15459391" Received: from smtp3.utdallas.edu ([129.110.20.110]) by ip-relay-002.utdallas.edu with ESMTP; 25 Aug 2009 09:23:08 -0500 Received: from utd65257.utdallas.edu (utd65257.utdallas.edu [129.110.3.28]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp3.utdallas.edu (Postfix) with ESMTPSA id D2C754EF37; Tue, 25 Aug 2009 09:23:08 -0500 (CDT) Date: Tue, 25 Aug 2009 14:23:08 +0000 From: Paul Schmehl To: Ruben de Groot , Mike Bristow Message-ID: In-Reply-To: <20090825094133.GA5644@ei.bzerk.org> References: <4A924601.3000507@lim.nl> <200908240807.n7O87o3U092052@banyan.cs.ait.ac.th> <200908241026.55693.j.mckeown@ru.ac.za> <25130058.post@talk.nabble.com> <20090825091937.GA53416@cheddar.urgle.com> <20090825094133.GA5644@ei.bzerk.org> X-Mailer: Mulberry/4.0.6 (Linux/x86) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=sha1; protocol="application/pkcs7-signature"; boundary="==========9A9F142983F14CB932C1==========" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org, Colin Brace Subject: Re: what www perl script is running? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Aug 2009 14:51:48 -0000 --==========9A9F142983F14CB932C1========== Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline --On Tuesday, August 25, 2009 04:41:33 -0500 Ruben de Groot =20 wrote: > > On Tue, Aug 25, 2009 at 10:19:37AM +0100, Mike Bristow typed: >> On Tue, Aug 25, 2009 at 01:00:53AM -0700, Colin Brace wrote: >> > Ok, here is what lsof tells me: >> > >> > $ sudo lsof | grep perl >> > perl5.8.9 4272 www 3u IPv4 0xc33cf000 0t0 TCP >> > gw:51295->94.102.51.57:afs3-fileserver (ESTABLISHED) >> > >> > The last line would be appear to telling me something, but what? >> >> The script is talking to 94.102.51.57 on port 7000. > > At which port an IRC server is listening: > >> telnet 94.102.51.57 7000 > Trying 94.102.51.57... > Connected to 94.102.51.57. > Escape character is '^]'. > :sampson.dangerz.biz NOTICE AUTH :*** Looking up your hostname... > :sampson.dangerz.biz NOTICE AUTH :*** Couldn't resolve your hostname; using > your IP address instead > And the IRC daemon is screaming "You have been hacked!" You need to get someone who knows about server compromises to help you. Your=20 server has been compromised. If you don't take action now, it will only get=20 worse. --=20 Paul Schmehl (pauls@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ --==========9A9F142983F14CB932C1==========--