From owner-freebsd-security@FreeBSD.ORG Fri Nov 18 04:42:49 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E8FE16A41F for ; Fri, 18 Nov 2005 04:42:49 +0000 (GMT) (envelope-from timothy@open-networks.net) Received: from titan.open-networks.net (ns.open-networks.net [202.173.176.254]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7ECEE43D45 for ; Fri, 18 Nov 2005 04:42:47 +0000 (GMT) (envelope-from timothy@open-networks.net) Received: from [192.168.1.200] (tim.open-networks.net [192.168.1.1]) by titan.open-networks.net (Postfix) with ESMTP id 409CB112D for ; Fri, 18 Nov 2005 14:42:45 +1000 (EST) Message-ID: <437D5BC4.5000700@open-networks.net> Date: Fri, 18 Nov 2005 14:42:44 +1000 From: Timothy Smith User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051002) X-Accept-Language: en-us, en MIME-Version: 1.0 Cc: freebsd-security@freebsd.org References: <20051117012552.46503.qmail@web51607.mail.yahoo.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Nov 2005 04:42:49 -0000 i have seen a similar attack recently doing a brute force ssh. the number ONE weakness in most poorly run IT systems, is easy passwords. it's amazingly easy to brute force these systems using common names or variations of them. in my instance they used it to join a bot net on an undernet irc channel. and yes attempting to track them down will be a waste of time unless they have intruded on a very very sensitive system and you have enough money to back an over seas legal battle. check in /tmp and see if anything is runnin in there, lots of times /tmp is mounted with exec and they use it to run their scripts. > >> Good Day! >> >> I think we have a serious problem. One of our old >> server running FreeBSD 4.9 have been compromised and >> is now connected to an ircd server.. >> 195.204.1.132.6667 ESTABLISHED >> >> However, we still haven't brought the server down in >> an attempt to track the intruder down. Right now we >> are clueless as to what we need to do.. >> Most of our servers are running legacy operating >> systems(old versions mostly freebsd) Also, that >> particular server is running - ProFTPD Version 1.2.4 >> which someone have suggested to have a known >> vulnerability.. >> >> I really need all the help I can get as the >> administration of those servers where just transferred >> to us by former admins. The server is used for ftp. >> >> Thanks.. >> >> >> >> >> __________________________________ >> Yahoo! Mail - PC Magazine Editors' Choice 2005 >> http://mail.yahoo.com >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to "freebsd-security- >> unsubscribe@freebsd.org" > > > -- Johan Berg > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (Darwin) > > iD8DBQFDfLapSVaw+q1ufCYRAh7BAJ93lVecTx72JQnY8IiW3L5D8ineMwCfTZbm > dY+/9ukhbXIF9r/5krcxSZ4= > =sjjs > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > >