Mark Jayson Alvarez wrote:
Now we have a couple of inputs, we just have to figure out which is the proper
combination. Here they are:
1. Use private key for ssh logins (should bring the private key always... and
if it is stolen.)
Private keys can (and should) be passphrase protected.
Mark Jayson Alvarez <[EMAIL PROTECTED]> writes:
> Suggestions are welcome... very much welcome. I just need to collate
> everything.
Start with security(7).
In future, keep up with Security Advisories.
___
freebsd-questions@freebsd.org mail
Good day again!!
This has something to do with my previous email about finding an IRC bouncer
installed into one of our freebsd servers(4.9). Someone suggested here to run a
rootkit finder... I installed an rkhunter and eventually found an ascii text
file inside the /dev/ named "saux" and to
--On Wednesday, November 16, 2005 20:29:55 -0500 Steve Bertrand
<[EMAIL PROTECTED]> wrote:
I think we have a serious problem. One of our old server
running FreeBSD 4.9 have been compromised and is now
connected to an ircd server..
195.204.1.132.6667 ESTABLISHED
Ran into this recently. P
[...]
> > You can easily rebuild a new kernel with:
> >
> > options IPFIREWALL
> > options IPFIREWALL_VERBOSE
> > options IPFIREWALL_VERBOSE_LIMIT_1000
> >
> > Then create a script blocking ALL ports exept those what you need.
> > Especially only allowing SSH access to the box from limited
> IP
> On Wed, Nov 16, 2005 at 09:51:08PM -0500, Steve Bertrand wrote:
> > Most *((cr/h)ackers* (and I use that term VERY loosely (aka:
> > script kiddies)) are interested in rooting a box, and setting up a
> > storage/sharing area that is free to them. This may not be
> the case,
> > but it's bette
David Kirchner wrote:
> On 11/16/05, Mark Kane <[EMAIL PROTECTED]> wrote:
>
>>I also see a psyBNC server listening on port 7978:
>>
>>server# sockstat -l4 | grep psybnc
>>USER COMMANDPID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
>>wicked6 psybnc 15819 3 tcp4 *:7978
Marco Wertejuk <[EMAIL PROTECTED]> wrote:
try sockstat | grep 6667 to see which process is
connecting to irc and try to see what this process
is doing with lsof, but depending on what backdoor
or rootkit is used, it's possible to see nothing
because intelligent rootkits hide themself
Ok done thi
On Nov 16, 2005, at 9:38 PM, Will Maier wrote:
OP has some asset that is being threatened or diminished by this
attack, be it his bandwith, CPU cycles, host/network integrity or
self confidence. He needs to identify that asset and work quickly to
protect it. In most cases, this will mean immedi
Steve Bertrand wrote:
>>- "top" lists nothing significant. 97% idle CPU
>
>
> Irrelavent, the process is probably idle right now.
I understand, but I was trying to give you the results of the commands
that you asked Mark Alvarez to run.
>>- "w" only shows myself and one other legit user logged
On Wed, Nov 16, 2005 at 05:16:37PM -0800, Mark Jayson Alvarez wrote:
> Good Day!
At first I thought I was confused, but then I realized that you had
cross-posted your message to freebsd-security@ and
[EMAIL PROTECTED] Please don't do this, as it fragments the
discussion.
Good luck.
--
o---
On Wed, Nov 16, 2005 at 09:51:08PM -0500, Steve Bertrand wrote:
> Most *((cr/h)ackers* (and I use that term VERY loosely (aka:
> script kiddies)) are interested in rooting a box, and setting up a
> storage/sharing area that is free to them. This may not be the
> case, but it's better to 'observe' y
Steve Bertrand <[EMAIL PROTECTED]> wrote:
> Now what I want to do is to just reinstall the whole
> operating system and secure it as possible as I can. Like
> someone told, its just a waste to try to track it down
> because the intruder might be located somewhere on the other
> side of the w
On 11/16/05, Mark Kane <[EMAIL PROTECTED]> wrote:
> I also see a psyBNC server listening on port 7978:
>
> server# sockstat -l4 | grep psybnc
> USER COMMANDPID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
> wicked6 psybnc 15819 3 tcp4 *:7978*:*
>
> Funny thing i
> Now what I want to do is to just reinstall the whole
> operating system and secure it as possible as I can. Like
> someone told, its just a waste to try to track it down
> because the intruder might be located somewhere on the other
> side of the world.
They are always on the other side of
First, I want to thank you all for replying. For now what I just did is to
just pulled the utp cable from its ethernet port. Now, no one can access it.
However I tried once to put it back and then the ircd connection went up
silently. It is confirmed that we are running "psybnc" like what so
> - "top" lists nothing significant. 97% idle CPU
Irrelavent, the process is probably idle right now.
> - "w" only shows myself and one other legit user logged in
> who is editing config files with vi
Perhaps they aren't currently logged in.
> - "last" shows nothing but myself and that one ot
> > also /var/tmp
>
> Indeed, many people would install with a /var partition,
> which would put /tmp under /var via symlink, but a good point.
My mistake...symlink was the wrong word to use here, for those who
create a /var partition without physically making a /tmp partition.
> > # ls -la /tmp
>
> also /var/tmp
Indeed, many people would install with a /var partition, which would put
/tmp under /var via symlink, but a good point.
> if you run awstats or phpBB - upgrade...
Agreed, but even phpBB may not be the fault. Many problems with PHP come
with the binary, not
Mark Jayson Alvarez wrote:
> Good Day!
>
> I think we have a serious problem. One of our old
> server running FreeBSD 4.9 have been compromised and
> is now connected to an ircd server..
> 195.204.1.132.6667 ESTABLISHED
I believe I'm having the same issue as you, except on FreeBSD
5.4-RELEASE
>
> # ls -la /tmp
also /var/tmp
look for netstat and rpcd under those...
if you run awstats or phpBB - upgrade...
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any ma
> I think we have a serious problem. One of our old server
> running FreeBSD 4.9 have been compromised and is now
> connected to an ircd server..
> 195.204.1.132.6667 ESTABLISHED
Ran into this recently. Please post the entire output from:
# top
# w
# last
# ps -aux
# uname -a
...after tha
22 matches
Mail list logo
