Date: Fri, 18 Nov 2005 14:42:44 +1000 From: Timothy Smith <timothy@open-networks.net> Cc: freebsd-security@freebsd.org Subject: Re: Need urgent help regarding security Message-ID: <437D5BC4.5000700@open-networks.net> In-Reply-To: <FE4A7F05-6522-4C47-9044-4A4B11E47A95@ircnet.se> References: <20051117012552.46503.qmail@web51607.mail.yahoo.com> <FE4A7F05-6522-4C47-9044-4A4B11E47A95@ircnet.se>
next in thread | previous in thread | raw e-mail | index | archive | help
i have seen a similar attack recently doing a brute force ssh. the number ONE weakness in most poorly run IT systems, is easy passwords. it's amazingly easy to brute force these systems using common names or variations of them. in my instance they used it to join a bot net on an undernet irc channel. and yes attempting to track them down will be a waste of time unless they have intruded on a very very sensitive system and you have enough money to back an over seas legal battle. check in /tmp and see if anything is runnin in there, lots of times /tmp is mounted with exec and they use it to run their scripts. > >> Good Day! >> >> I think we have a serious problem. One of our old >> server running FreeBSD 4.9 have been compromised and >> is now connected to an ircd server.. >> 195.204.1.132.6667 ESTABLISHED >> >> However, we still haven't brought the server down in >> an attempt to track the intruder down. Right now we >> are clueless as to what we need to do.. >> Most of our servers are running legacy operating >> systems(old versions mostly freebsd) Also, that >> particular server is running - ProFTPD Version 1.2.4 >> which someone have suggested to have a known >> vulnerability.. >> >> I really need all the help I can get as the >> administration of those servers where just transferred >> to us by former admins. The server is used for ftp. >> >> Thanks.. >> >> >> >> >> __________________________________ >> Yahoo! Mail - PC Magazine Editors' Choice 2005 >> http://mail.yahoo.com >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to "freebsd-security- >> unsubscribe@freebsd.org" > > > -- Johan Berg > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (Darwin) > > iD8DBQFDfLapSVaw+q1ufCYRAh7BAJ93lVecTx72JQnY8IiW3L5D8ineMwCfTZbm > dY+/9ukhbXIF9r/5krcxSZ4= > =sjjs > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?437D5BC4.5000700>