Date: Wed, 16 Nov 2005 20:29:55 -0500 From: "Steve Bertrand" <iaccounts@ibctech.ca> To: "'Mark Jayson Alvarez'" <jay2xra@yahoo.com> Cc: 'FreeBSD Questions' <questions@freebsd.org> Subject: RE: Need urgent help regarding security Message-ID: <20051117013004.CBEA243D45@mx1.FreeBSD.org> In-Reply-To: <20051117011637.17190.qmail@web51601.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> I think we have a serious problem. One of our old server > running FreeBSD 4.9 have been compromised and is now > connected to an ircd server.. > 195.204.1.132.6667 ESTABLISHED Ran into this recently. Please post the entire output from: # top # w # last # ps -aux # uname -a ...after that, depending on the intruders knowledge and depending on what/if they are covering up, we can probably tell what is going on via further troubleshooting. The output from: # ls -la /tmp would probably help too. > However, we still haven't brought the server down in an > attempt to track the intruder down. Right now we are clueless > as to what we need to do.. > Most of our servers are running legacy operating systems(old > versions mostly freebsd) Also, that particular server is > running - ProFTPD Version 1.2.4 which someone have suggested > to have a known vulnerability.. > > I really need all the help I can get as the administration of > those servers where just transferred to us by former admins. > The server is used for ftp. > First...just relax. Do not panic. Just let them do what they are going to do (with hopes you have backups), and the problem can be found and eradicated. Now, answer these: - do you have an external firewall in front of this box - do you have a firewall running on this box - is this box Internet facing - is this machines ONLY purpose FTP Another thing...what is the IP of the box. I can quickly nmap it, give you instructions on how to config IPFW firewall into the mix, tell you what ports are listening/responding and send you a ruleset to block all ports in/out to/from that IP. Don't be concerned about finding out who did what at this point...again, relax. Running IRC usually doesn't appear they are malicious. THey are likely just trying to use your bandwidth/resources. Provide the above, and something can be done. Steve
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051117013004.CBEA243D45>