From owner-freebsd-questions@FreeBSD.ORG  Thu Nov 17 02:40:37 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5399F16A41F
	for <freebsd-questions@freebsd.org>;
	Thu, 17 Nov 2005 02:40:37 +0000 (GMT)
	(envelope-from mark@mkproductions.org)
Received: from ylpvm15.prodigy.net (ylpvm15-ext.prodigy.net [207.115.57.46])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8CAEF43D45
	for <freebsd-questions@freebsd.org>;
	Thu, 17 Nov 2005 02:40:36 +0000 (GMT)
	(envelope-from mark@mkproductions.org)
Received: from pimout3-ext.prodigy.net (pimout3-int.prodigy.net
	[207.115.4.218])
	by ylpvm15.prodigy.net (8.12.10 outbound/8.12.10) with ESMTP id
	jAH2eaug014886
	for <freebsd-questions@freebsd.org>; Wed, 16 Nov 2005 21:40:36 -0500
X-ORBL: [68.89.209.57]
Received: from [192.168.1.25] (68-89-209-57.ded.swbell.net [68.89.209.57])
	by pimout3-ext.prodigy.net (8.13.4 outbound domainkey aix/8.13.4) with
	ESMTP id jAH2eWIi058242; Wed, 16 Nov 2005 21:40:32 -0500
Message-ID: <437BED9F.6010703@mkproductions.org>
Date: Wed, 16 Nov 2005 20:40:31 -0600
From: Mark Kane <mark@mkproductions.org>
User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051110)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Mark Jayson Alvarez <jay2xra@yahoo.com>
References: <20051117011640.27963.qmail@web51612.mail.yahoo.com>
In-Reply-To: <20051117011640.27963.qmail@web51612.mail.yahoo.com>
X-Enigmail-Version: 0.93.0.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="------------enigD17E31A30967C044470C6117"
Cc: iaccounts@ibctech.ca, freebsd-questions@freebsd.org
Subject: Re: Need urgent help regarding security
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Nov 2005 02:40:37 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigD17E31A30967C044470C6117
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Mark Jayson Alvarez wrote:
> Good Day!
> 
> I think we have a serious problem. One of our old
> server running FreeBSD 4.9 have been compromised and
> is now connected to an ircd server..
> 195.204.1.132.6667     ESTABLISHED

I believe I'm having the same issue as you, except on FreeBSD
5.4-RELEASE. I notice a connection to the same IP and port as you posted
(which by the way is an Undernet IRC server).

I also see a psyBNC server listening on port 7978:

server# sockstat -l4 | grep psybnc
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
wicked6  psybnc     15819 3  tcp4   *:7978                *:*

Funny thing is there is no process by wicked6 (or by anyone currently)
called "psybnc". I can connect to an IP on that server on port 7978 and
get a psyBNC though. I've checked for other processes by wicked6, nothing.

It's trying to make a connection on 6667 to that IP as I said:

server1# netstat -n | grep 6667
tcp4       0      0  xx.xx.xx.xx.64243    195.197.175.21.6667    SYN_SENT

top lists nothing using up much CPU. /tmp doesn't show much except many
session files. I found a psybnc.tar.gz file in a user's home directory
but cannot find any directories with psybnc config files or binaries.

Port 6667 is blocked by my datacenter so this is not actually doing any
damage against the target, but I wanted to post here and let you know
I'm having the same problem on a different version of FBSD with
everything up to date.

To Steve:

I don't want to post the full outputs of those since this is a client
server, but I will say the following points:

- "top" lists nothing significant. 97% idle CPU
- "w" only shows myself and one other legit user logged in who is
editing config files with vi
- "last" shows nothing but myself and that one other user
- "ps -aux" doesn't say anything about psyBNC or bnc. everything looks
normal as of now
- It's a FreeBSD 5.4-RELEASE machine with a generic kernel except with
quota support

-Mark

-- 
GnuPG Public Key:
http://www.mkproductions.org/mk_pubkey.asc

Internet Radio:
Party107 (Trance/Electronic) - http://www.party107.com
Rock 101.9 The Edge (Rock) - http://www.rock1019.net

IRC:
MIXXnet IRC Network - irc.mixxnet.net (Nick: MIXX941)

--------------enigD17E31A30967C044470C6117
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFDe+2flH2ybcmj7I8RAqGiAKCPCPQ/2KuvSe7rT3W/XHZ2p84xWwCguAyp
BpLThZh0NIv16wfIcb0I3+w=
=Ejs/
-----END PGP SIGNATURE-----

--------------enigD17E31A30967C044470C6117--