From owner-freebsd-questions@FreeBSD.ORG Tue Aug 25 15:13:15 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8A497106568B for ; Tue, 25 Aug 2009 15:13:15 +0000 (UTC) (envelope-from wmoran@potentialtech.com) Received: from mail.potentialtech.com (internet.potentialtech.com [66.167.251.6]) by mx1.freebsd.org (Postfix) with ESMTP id 56A248FC19 for ; Tue, 25 Aug 2009 15:13:15 +0000 (UTC) Received: from localhost (pr40.pitbpa0.pub.collaborativefusion.com [206.210.89.202]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.potentialtech.com (Postfix) with ESMTPSA id 61E98EBC0A; Tue, 25 Aug 2009 11:13:14 -0400 (EDT) Date: Tue, 25 Aug 2009 11:13:13 -0400 From: Bill Moran To: Paul Schmehl Message-Id: <20090825111313.c923314b.wmoran@potentialtech.com> In-Reply-To: References: <4A924601.3000507@lim.nl> <200908240807.n7O87o3U092052@banyan.cs.ait.ac.th> <200908241026.55693.j.mckeown@ru.ac.za> <25130058.post@talk.nabble.com> <20090825091937.GA53416@cheddar.urgle.com> <25131646.post@talk.nabble.com> <200908251027.n7PARZBt009994@banyan.cs.ait.ac.th> <25132123.post@talk.nabble.com> <20090825082604.41cad357.wmoran@potentialtech.com> Organization: Bill Moran X-Mailer: Sylpheed 2.7.1 (GTK+ 2.16.5; i386-portbld-freebsd7.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org, Colin Brace Subject: Re: what www perl script is running? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Aug 2009 15:13:15 -0000 In response to Paul Schmehl : > --On Tuesday, August 25, 2009 07:26:04 -0500 Bill Moran > wrote: > >> > >> I am currently killing the process with the following bash command while I > >> decide what to do next: > >> > >> $ while x=1 ; do sudo killall -9 perl5.8.9 && echo "killed..." ; sleep 15; > >> done > > > > You can add an ipfw rule to prevent the script from calling home, which > > will effectively render it neutered until you can track down and actually > > _fix_ the problem. > > > > In reality, good security practice says that you should have IPFW (or some > > other firewall) running and only allowing known good traffic right from > > the start, which might have protected you from this in the first place. > > > > I disagree. I used to believe this, but experience has taught me otherwise. > When you run a firewall on a host, you open the ports for the services you want > to offer. The firewall provides you no protection at all against hackers > attacking the services that are listening on ports opened through the firewall. > All a host firewall does is consume CPU and memory and give you a warm fuzzy > that doesn't really add to security at all and may well make you less vigilant. > (And yes, I know I'm a security heretic in some quarters.) Well, you're entitled to your opinion, but I think it's misguided. Security isn't always about preventing a compromise. Sometimes it's about reducing the damage. If he had a packet filter installed that allowed only known-good traffic, he still might have gotten compromised through a web server, you got that part right. The part you missed is that the installed script needs to connect out to talk to it's bot master. The packet filter would have prevented this communication, thus the rogue script would have been useless. While the compromise of the machine would succeed, control of the machine would not fall into other hands, and the script would be incapable of compromising _information_ on the machine (as it stands, you have no idea what files that script has been sending up to the bot master ... password files, for example?) A side note to that. Make sure to change each and every password, key file, etc on that system, as they're all suspect at this point. -- Bill Moran http://www.potentialtech.com http://people.collaborativefusion.com/~wmoran/