Date: Tue, 25 Aug 2009 15:42:50 +0200 From: Ruben de Groot <mail25@bzerk.org> To: Colin Brace <cb@lim.nl> Cc: freebsd-questions@freebsd.org Subject: Re: what www perl script is running? Message-ID: <20090825134250.GA6871@ei.bzerk.org> In-Reply-To: <25134056.post@talk.nabble.com> References: <4A924601.3000507@lim.nl> <200908240807.n7O87o3U092052@banyan.cs.ait.ac.th> <200908241026.55693.j.mckeown@ru.ac.za> <25130058.post@talk.nabble.com> <20090825091937.GA53416@cheddar.urgle.com> <25131646.post@talk.nabble.com> <200908251027.n7PARZBt009994@banyan.cs.ait.ac.th> <25132123.post@talk.nabble.com> <20090825082604.41cad357.wmoran@potentialtech.com> <25134056.post@talk.nabble.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Aug 25, 2009 at 06:16:49AM -0700, Colin Brace typed:
>
>
> Bill Moran wrote:
> >
> > You can add an ipfw rule to prevent the script from calling home, which
> > will effectively render it neutered until you can track down and actually
> > _fix_ the problem.
> >
> > In reality, good security practice says that you should have IPFW (or some
> > other firewall) running and only allowing known good traffic right from
> > the start, which might have protected you from this in the first place.
> >
>
> Bill,
>
> I am surprised you would think I have no firewall. As long as I have had the
> server (2 years), I have had PF installed and running, and I can tell you
> exactly which incoming ports I have open to the net:
>
> tcp_services = "{ ssh smtp www https 4661 4662 52550 }"
But are you blocking any outgoing traffic?
> wifi_tcp_services = "{ ftp ssh bootps whois domain www imap imaps ntp irc
> https sunrpc dict nfs 2628 3689 4711 6667 6909 23398}"
>
> Should I entertain the possiblity that someone parked their car near my
> house and hacked in through one of the above ports?
That's certainly possibly. But not my first guess.
> Any suggestions as to where to start looking for the breach would be most
> welcome; I am quite new to this game.
My guess (not much more than that) is that someone used a vulnerable web page,
maybe some perl or php application that was exploitable. This because the
rogue process was running as user "www".
Try a find through the entire filesystem for files owned by this user that
you can't account for. Also check your cron and at files under /var/cron and
/var/at
And try to find out what's starting the proces whith ps -alx, tracking the
PPIDs.
gooed hunting!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090825134250.GA6871>