From owner-freebsd-questions@FreeBSD.ORG Thu Nov 17 03:37:50 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6842216A41F for ; Thu, 17 Nov 2005 03:37:50 +0000 (GMT) (envelope-from dpkirchner@gmail.com) Received: from xproxy.gmail.com (xproxy.gmail.com [66.249.82.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4958F43D49 for ; Thu, 17 Nov 2005 03:37:46 +0000 (GMT) (envelope-from dpkirchner@gmail.com) Received: by xproxy.gmail.com with SMTP id s9so1225407wxc for ; Wed, 16 Nov 2005 19:37:45 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Jq9787GQwkCb3Wlq/NC/QCwkMnOgbWj4doHxbmRFYxq0Amryh6Z3nIBF/U8FX66CQeMrNwAFwXc4XyOD/I5DmYVH/CCkkW8coXqZ6YaGATyvNut0FimwIufBXai7j5NoeVauHL35yi1900f/skXgmoBpguXqWfC8NOwf4H0xQgg= Received: by 10.70.63.5 with SMTP id l5mr4516128wxa; Wed, 16 Nov 2005 19:31:33 -0800 (PST) Received: by 10.70.104.18 with HTTP; Wed, 16 Nov 2005 19:31:33 -0800 (PST) Message-ID: <35c231bf0511161931i371ff97dj6da274892c84619e@mail.gmail.com> Date: Wed, 16 Nov 2005 19:31:33 -0800 From: David Kirchner Sender: dpkirchner@gmail.com To: Mark Kane In-Reply-To: <437BED9F.6010703@mkproductions.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20051117011640.27963.qmail@web51612.mail.yahoo.com> <437BED9F.6010703@mkproductions.org> Cc: iaccounts@ibctech.ca, Mark Jayson Alvarez , freebsd-questions@freebsd.org Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2005 03:37:50 -0000 On 11/16/05, Mark Kane wrote: > I also see a psyBNC server listening on port 7978: > > server# sockstat -l4 | grep psybnc > USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS > wicked6 psybnc 15819 3 tcp4 *:7978 *:* > > Funny thing is there is no process by wicked6 (or by anyone currently) > called "psybnc". I can connect to an IP on that server on port 7978 and > get a psyBNC though. I've checked for other processes by wicked6, nothing= . It's very common for them to overwrite argv[0], or use setproctitle stuff to hide the real name of the program. Some programs don't read that -- sockstat and top are two that don't read the modified program name. > It's trying to make a connection on 6667 to that IP as I said: > > server1# netstat -n | grep 6667 > tcp4 0 0 xx.xx.xx.xx.64243 195.197.175.21.6667 SYN_SENT netstat -aAn (specifically, the -A) instructs netstat to prepend each line with the memory address of the network connection. If you run that you'll see something like: f0d710c0 tcp4 0 0 xxx.xxx.xxx.xxx.29 211.119.136.240.66 ESTABLI= SHED (sometimes, the port numbers get truncated, so you may have to grep for the destination IP instead of the port number.) You can take that address and run fstat | grep address: $ fstat | grep f0d710c0 www iroffer 19133 3* internet stream tcp f0d710c0 In this specific case, it's an iroffer program run from some PHP backdoor someone installed on the server (see http://malformed.org/2005/11/15/zend-encoder-bad-for-the-internet/ for a description of the present/near-future of these PHP backdoors). In your case it may be that you're running suexec or suPHP, or it may not have been started from the web at all. If that's the case, you may be able to find out what else is going on by ensuring /proc is mounted and then run: ps -uxwwep pid: ps -uxwwep 19133 USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND www 19133 0.0 0.0 1244 424 ?? S 22Oct05 12:52.03 ... DOC_ROOT=3D/usr/home/user/websites/domain.com ... You may also see SCRIPT_FILENAME or PWD or other environment variables that may give you hints as to where this was started from. There are some other programs that'll do all this for you, I think 'lsof' is one. I dunno. I prefer to use base system utilities. But to each their own. Of course, if the listening process isn't showing up at all, but you can still connect to the port, then you may have some sort of hacked kld loaded or hacked ps, in which case the attacker has root, which is a far more serious situation.