Date: Wed, 16 Nov 2005 23:55:27 -0500 From: Bill Desjardins <bill@ethernext.com> To: freebsd-security@freebsd.org Cc: Mark Jayson Alvarez <jay2xra@yahoo.com> Subject: Re: Need urgent help regarding security Message-ID: <20051116235527.4okakp84gk40osco@webmail.tuffmail.net> In-Reply-To: <20051117012552.46503.qmail@web51607.mail.yahoo.com> References: <20051117012552.46503.qmail@web51607.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Mark, before going too nuts with trying to locate how they got in, let me ask, are you running a webserver on this server and any websites? take a look in /tmp, /var/tmp and do a find for any directories which have 777 perms like uucppublic in /var. if so, are they owned by the web user? I have seen many IRC bots installed from poorly written php and perl programs into /tmp and such which are then run via the same security holes that allowed them to be installed. these programs can only be run on high port numbers and are owned by the webserver owner. 99 of 100 are usually IRC bots as well. another thing to look for is if they installed a cron job for the web user which re-downloads the files if they are deleted. you can disable cron for www and is reccomended. I have seen these tactics more and more lately and the amount of bad 3rd party code used by my users doesnt help at all. HTH, Bill -- Bill Desjardins d: 305.205.8644 EtherneXt.com - Managed Colocation & Bandwidth bill@ethernext.com Phone: 305.373.5960 Quoting Mark Jayson Alvarez <jay2xra@yahoo.com>: > Good Day! > > I think we have a serious problem. One of our old > server running FreeBSD 4.9 have been compromised and > is now connected to an ircd server.. > 195.204.1.132.6667 ESTABLISHED > > However, we still haven't brought the server down in > an attempt to track the intruder down. Right now we > are clueless as to what we need to do.. > Most of our servers are running legacy operating > systems(old versions mostly freebsd) Also, that > particular server is running - ProFTPD Version 1.2.4 > which someone have suggested to have a known > vulnerability.. > > I really need all the help I can get as the > administration of those servers where just transferred > to us by former admins. The server is used for ftp. > > Thanks.. > > > > > __________________________________ > Yahoo! Mail - PC Magazine Editors' Choice 2005 > http://mail.yahoo.com > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051116235527.4okakp84gk40osco>