From owner-freebsd-security Mon Dec 2 20:59:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F52A37B401 for ; Mon, 2 Dec 2002 20:59:43 -0800 (PST) Received: from mta6.snfc21.pbi.net (mta6.snfc21.pbi.net [206.13.28.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id AC90743EBE for ; Mon, 2 Dec 2002 20:59:42 -0800 (PST) (envelope-from patrick@pwhsnet.com) Received: from patrick ([67.116.87.169]) by mta6.snfc21.pbi.net (iPlanet Messaging Server 5.1 (built May 7 2001)) with SMTP id <0H6J00HFL1VGD1@mta6.snfc21.pbi.net> for freebsd-security@FreeBSD.ORG; Mon, 02 Dec 2002 20:59:42 -0800 (PST) Date: Mon, 02 Dec 2002 20:59:41 -0800 From: Patrick Fish Subject: Re: psybnc and IRC hack To: neallist@wispair.net, stabilizer@klentaq.com Cc: freebsd-security@FreeBSD.ORG Message-id: <039801c29a88$cab8e5a0$1401a8c0@patrick> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Mailer: Microsoft Outlook Express 6.00.2800.1106 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7BIT X-Priority: 3 X-MSMail-priority: Normal References: <20021202123616.A33705@klentaq.com> <009101c29a34$1b96f4d0$0301a8c0@prime> <3DEC45ED.CFA0FF57@wispair.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > This doesn't belong on freebsd-security. > > Read this first: > > http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/security.html > > If you're still confused get on an Undernet IRC server, go to #freebsdhelp, and > ask for assistance. Its best to show between 18:00 and 24:00 EST from my > experience. There are probably other places you could check, this one I frequent > and I know they'll help new people. If you have no luck there, try EFnet (same channel). > > > > Charles Swiger wrote: > > > [ This probably belongs on freebsd-security, instead... ] > > > > Wayne M Barnes wrote: > > > How can I best recover from, and defend myself from, a hacker > > > who breaks into my system and runs a program called psybnc > > > without my permission? I think he is using my system as a > > > front/slave. > > > > Yes. Unless you installed an IRC bouncer-- or whatever it was being used for-- > > yourself, it's a safe bet that your machine was hacked. You haven't identified > > much about the system-- OS version, what service was compromised (if you know, > > and you should investigate that), as well as form an incident timeline. > > > > The best way to recover is to backup the compromised system, for recovery of > > your data and later forensics if you (or your ISP) chooses to investigate > > further. > > > > Reinstall the latest version of FreeBSD from a known-good image, possibly using > > CVSUP to upgrade to -STABLE or the security branch for your version > > (RELENG_4_7?). > > > > Then restore your data (after making sure nothing was compromised...that means > > do not copy date, especially executables without checking them against prior > > backups). > > > > > For now, I have killed psybnc, deleted the directory of stuff > > > that he put in, and changed my password. Is that any good? > > > > It's a good starting point, yes, but it certainly isn't sufficient. > > > > > Can there be a real vaccination built in to FreeBSD? > > > > Yes. It's easy to compare your system against the software from the OS install > > disk; where many people encounter problems is with the changes they've made > > afterwards themselves. How complete are your backups? > > > > -Chuck > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > pf To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message