From owner-freebsd-questions@FreeBSD.ORG Tue Aug 25 14:54:39 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3D393106568F for ; Tue, 25 Aug 2009 14:54:39 +0000 (UTC) (envelope-from prvs=481bfd290=pschmehl_lists@tx.rr.com) Received: from ip-relay-002.utdallas.edu (ip-relay-002.utdallas.edu [129.110.20.112]) by mx1.freebsd.org (Postfix) with ESMTP id 0BE448FC1D for ; Tue, 25 Aug 2009 14:54:38 +0000 (UTC) X-Group: RELAYLIST X-IronPort-AV: E=Sophos;i="4.44,272,1249275600"; d="scan'208";a="15459592" Received: from smtp3.utdallas.edu ([129.110.20.110]) by ip-relay-002.utdallas.edu with ESMTP; 25 Aug 2009 09:26:05 -0500 Received: from utd65257.utdallas.edu (utd65257.utdallas.edu [129.110.3.28]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp3.utdallas.edu (Postfix) with ESMTPSA id 367714EF37; Tue, 25 Aug 2009 09:26:05 -0500 (CDT) Date: Tue, 25 Aug 2009 14:26:05 +0000 From: Paul Schmehl To: Colin Brace , freebsd-questions@freebsd.org Message-ID: <9A17E0F00322F734578821FC@utd65257.utdallas.edu> In-Reply-To: <25132123.post@talk.nabble.com> References: <4A924601.3000507@lim.nl> <200908240807.n7O87o3U092052@banyan.cs.ait.ac.th> <200908241026.55693.j.mckeown@ru.ac.za> <25130058.post@talk.nabble.com> <20090825091937.GA53416@cheddar.urgle.com> <25131646.post@talk.nabble.com> <200908251027.n7PARZBt009994@banyan.cs.ait.ac.th> <25132123.post@talk.nabble.com> X-Mailer: Mulberry/4.0.6 (Linux/x86) X-Munged-Reply-To: Figure it out MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Cc: Subject: Re: what www perl script is running? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Paul Schmehl List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Aug 2009 14:54:39 -0000 --On Tuesday, August 25, 2009 05:46:43 -0500 Colin Brace wrote: > > > > Olivier Nicole wrote: >> >>> Am I correct in assuming that my system has been hacked and I am running >>> an >>> IRC server or something? >> >> IRC client at least. And yes, I would think that your system has been >> compromised. >> > > Thanks Olivier. > > I am currently killing the process with the following bash command while I > decide what to do next: > > $ while x=1 ; do sudo killall -9 perl5.8.9 && echo "killed..." ; sleep 15; > done > > I suppose this calls for a "bare-metal" reinstall. > > Is it worth first trying to determine how my system was broken into? > Only you can answer that question. How badly do you need to get the server back up and running? If it's not critical, it would be worth taking the time to investigate. Otherwise you'll set it back up the same way and be hacked again in the same way. If you know someone who is good at forensics on Unix boxes, call them. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson