Date: Sat, 11 Aug 2007 13:54:29 +0200 From: "Heiko Wundram (Beenic)" <wundram@beenic.net> To: freebsd-questions@freebsd.org Subject: Re: server was hacked Message-ID: <200708111354.29719.wundram@beenic.net> In-Reply-To: <20070811110231.M84490@bmyster.com> References: <20070811110231.M84490@bmyster.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Am Samstag 11 August 2007 13:20:31 schrieb Brent: > Im running FBSD 5.4 as a web server the server is behind a cisco firewall > /router and the server has alot of CMS jumila / mambo sites on it. I > noticed that when i ran sockstat i was seeing multiple IPs connected to > high ports on the server with a process id of "psybnc" . Did some looking > around & found that this is a IRC relay program that was installed through > a compromised mambo site. That was a know Mambo vulnerability which also hit a client of ours. It's not a root compromise, though, AFAIR. > On FBSD how do you checksum binaries on the system to ensure someone hasnt > replaced one with there own binary. Install security/tripwire and configure properly. -- Heiko Wundram Product & Application Development
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200708111354.29719.wundram>