Date: Tue, 25 Aug 2009 14:26:05 +0000 From: Paul Schmehl <pschmehl_lists@tx.rr.com> To: Colin Brace <cb@lim.nl>, freebsd-questions@freebsd.org Subject: Re: what www perl script is running? Message-ID: <9A17E0F00322F734578821FC@utd65257.utdallas.edu> In-Reply-To: <25132123.post@talk.nabble.com> References: <4A924601.3000507@lim.nl> <200908240807.n7O87o3U092052@banyan.cs.ait.ac.th> <200908241026.55693.j.mckeown@ru.ac.za> <25130058.post@talk.nabble.com> <20090825091937.GA53416@cheddar.urgle.com> <25131646.post@talk.nabble.com> <200908251027.n7PARZBt009994@banyan.cs.ait.ac.th> <25132123.post@talk.nabble.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--On Tuesday, August 25, 2009 05:46:43 -0500 Colin Brace <cb@lim.nl> wrote: > > > > Olivier Nicole wrote: >> >>> Am I correct in assuming that my system has been hacked and I am running >>> an >>> IRC server or something? >> >> IRC client at least. And yes, I would think that your system has been >> compromised. >> > > Thanks Olivier. > > I am currently killing the process with the following bash command while I > decide what to do next: > > $ while x=1 ; do sudo killall -9 perl5.8.9 && echo "killed..." ; sleep 15; > done > > I suppose this calls for a "bare-metal" reinstall. > > Is it worth first trying to determine how my system was broken into? > Only you can answer that question. How badly do you need to get the server back up and running? If it's not critical, it would be worth taking the time to investigate. Otherwise you'll set it back up the same way and be hacked again in the same way. If you know someone who is good at forensics on Unix boxes, call them. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9A17E0F00322F734578821FC>