Date: Wed, 16 Nov 2005 23:08:03 -0600 From: Mark Kane <mark@mkproductions.org> To: Steve Bertrand <iaccounts@ibctech.ca> Cc: 'Mark Jayson Alvarez' <jay2xra@yahoo.com>, freebsd-questions@freebsd.org Subject: Re: Need urgent help regarding security Message-ID: <437C1033.2030306@mkproductions.org> In-Reply-To: <E1Eca6n-000BJx-6N@server1.tntpowerhost.com> References: <E1Eca6n-000BJx-6N@server1.tntpowerhost.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig78AF8F7A57DCD542C65D3837 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Steve Bertrand wrote: >>- "top" lists nothing significant. 97% idle CPU > > > Irrelavent, the process is probably idle right now. I understand, but I was trying to give you the results of the commands that you asked Mark Alvarez to run. >>- "w" only shows myself and one other legit user logged in >>who is editing config files with vi > > > Perhaps they aren't currently logged in. It doesn't look like someone got SSH access, it looks more to me like it's a vulnerable PHP script or something. Not sure, but that would be my guess. >>- "last" shows nothing but myself and that one other user > > > What is the last entry that last shows (no pun intended)...ie: what is > the date? The dates on "last" range from Nov 1st to today. All but 2 are from my IP logging in, and the other are users who just edit config files and untar files on the server (I've verified that it's their real legit IP's) >>- "ps -aux" doesn't say anything about psyBNC or bnc. >>everything looks normal as of now > > > Ok, here's what to do: > > # pkg_add -r nmap > # rehash > # nmap -sS -P0 my.ip.server.com > > ...then (probably futile): > > # nmap -sU -P0 my.ip.server.com > > which will tell you if you are listening on ports you *shouldn't* have > open. I will email you off the list with that info. >>- It's a FreeBSD 5.4-RELEASE machine with a generic kernel >>except with quota support > > > You still didn't answer the FTP question. What services should be > running on it? Well I am a different Mark than originally posted. I just saw this on the list and found a connection attempt through netstat to the same IP and port as the original Mark that posted. I, unlike Mark Alvarez run more than just an FTP server. I will email you with those services. > You can easily rebuild a new kernel with: > > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT_1000 > > Then create a script blocking ALL ports exept those what you need. > Especially only allowing SSH access to the box from limited IP's. If you > need help, just ask. Thanks for the suggestion. I personally have no experience with IPFW (I have played with IPF a little bit on a test box here) so I will have to think on that a little. I am guessing you suggest IPFW as opposed to IPF correct? I read up on IPFW and IPF in the handbook when I was experimenting with firewalls and the rule syntax and things seemed more logical to me with IPF, but I did not look that far in depth. My servers are also remote so I would have to make sure I didn't firewall myself out when enabling any firewall. ;) > This sounds like a brute-forced password hack via remote access, or > overflow via a vulnerable software that should not be Internet facing. > > Don't give me your IP if you don't want, just tell us (or me personally) > what should be Internet facing (as far as services), and get you fixed > up. I will email you the services that need to be open. > Have you checked your daily cron outputs lately? What do they say? All I see is legit cronjobs from a billing system that I run and some from cPanel such as cpumonitor and backups. > nmap is your friend, and so is IPFW. Figure out exactly what you need to > face the Internet, and staple the rest closed. > > Steve Thanks again for your help. -Mark Kane -- GnuPG Public Key: http://www.mkproductions.org/mk_pubkey.asc Internet Radio: Party107 (Trance/Electronic) - http://www.party107.com Rock 101.9 The Edge (Rock) - http://www.rock1019.net IRC: MIXXnet IRC Network - irc.mixxnet.net (Nick: MIXX941) --------------enig78AF8F7A57DCD542C65D3837 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDfBA4lH2ybcmj7I8RAv3YAKCOVIi9xg3UfUO9EE9yvTH1iWB8yACeNGHI 3z/NhmGn9slnc2wjUTFzlCM= =si7Q -----END PGP SIGNATURE----- --------------enig78AF8F7A57DCD542C65D3837--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?437C1033.2030306>