From owner-freebsd-security@FreeBSD.ORG Thu Nov 17 01:48:38 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E1D9016A41F for ; Thu, 17 Nov 2005 01:48:38 +0000 (GMT) (envelope-from ray@redshift.com) Received: from outgoing.redshift.com (outgoing.redshift.com [207.177.231.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id A9B7E43D46 for ; Thu, 17 Nov 2005 01:48:38 +0000 (GMT) (envelope-from ray@redshift.com) Received: from workstation (216-228-19-21.dsl.redshift.com [216.228.19.21]) by outgoing.redshift.com (Postfix) with SMTP id 40DDD984BB; Wed, 16 Nov 2005 17:48:38 -0800 (PST) Message-Id: <3.0.1.32.20051116174838.00a75e70@pop.redshift.com> X-Mailer: na X-Sender: redshift.com Date: Wed, 16 Nov 2005 17:48:38 -0800 To: Mark Jayson Alvarez ,freebsd-security@freebsd.org From: ray@redshift.com In-Reply-To: <20051117012552.46503.qmail@web51607.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Cc: Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2005 01:48:39 -0000 At 05:25 PM 11/16/2005 -0800, Mark Jayson Alvarez wrote: | Good Day! | | I think we have a serious problem. One of our old | server running FreeBSD 4.9 have been compromised and | is now connected to an ircd server.. | 195.204.1.132.6667 ESTABLISHED | | However, we still haven't brought the server down in | an attempt to track the intruder down. Right now we | are clueless as to what we need to do.. | Most of our servers are running legacy operating | systems(old versions mostly freebsd) Also, that | particular server is running - ProFTPD Version 1.2.4 | which someone have suggested to have a known | vulnerability.. | | I really need all the help I can get as the | administration of those servers where just transferred | to us by former admins. The server is used for ftp. | | Thanks.. Hi Mark, Good luck tracking them. The IP# is out of Canada if that helps any. 195.204.1.132 CA CANADA ONTARIO WAWA UNDERNET-IRC Looks like it is coming from another IRC network - although I am no IRC expert. Someone is probably using your machine to exchange software or run a bot network or something along those lines. Who knows. Try doing a ps -aux and see if something like eggdrop or some IRC bot is running on there (assuming you still have the root password). You might even be able to figure out if you are hosting an IRC room :-) Maybe everyone from the FreeBSD hacker list can meet there and party :-) Just kidding. Anyway, tracking them is probably a waste of time, unless some valuable corporate information has been stolen. The best bet is to just wipe the machine and start over, unless you need something on there that you can't backup, etc. In cases like these, unless you are running something that has built check sums of all your system files, it's difficult to work back wards and know for sure you have returned everything back to a secure status. Best just to start at square 1 and work forward. In the future, you might consider running a fire wall, such as ipf - or putting the server on a non-public IP# behind a router that acts as a fire wall - then only allow traffic in (and out) on ports you really need. If you run ipf, you might also block out going traffic on ports such as 21, 6666-6669, etc. so that anything that does get into the machine can't "phone home". If your root password has been changed on you, you'll need to boot into single user mode and change the password back. You might also check files like /etc/rc.local or the like to see if something is setup to auto load at boot, such as an IRC server, or IRC bot, etc. Anyway, just some ideas off hand. good luck! Ray