Date: Mon, 2 Dec 2002 13:53:23 -0500 From: "Charles Swiger" <cswiger@mac.com> To: <freebsd-stable@FreeBSD.ORG>, <freebsd-security@FreeBSD.ORG> Subject: Re: psybnc and IRC hack Message-ID: <009101c29a34$1b96f4d0$0301a8c0@prime> References: <20021202123616.A33705@klentaq.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[ This probably belongs on freebsd-security, instead... ] Wayne M Barnes wrote: > How can I best recover from, and defend myself from, a hacker > who breaks into my system and runs a program called psybnc > without my permission? I think he is using my system as a > front/slave. Yes. Unless you installed an IRC bouncer-- or whatever it was being used for-- yourself, it's a safe bet that your machine was hacked. You haven't identified much about the system-- OS version, what service was compromised (if you know, and you should investigate that), as well as form an incident timeline. The best way to recover is to backup the compromised system, for recovery of your data and later forensics if you (or your ISP) chooses to investigate further. Reinstall the latest version of FreeBSD from a known-good image, possibly using CVSUP to upgrade to -STABLE or the security branch for your version (RELENG_4_7?). Then restore your data (after making sure nothing was compromised...that means do not copy date, especially executables without checking them against prior backups). > For now, I have killed psybnc, deleted the directory of stuff > that he put in, and changed my password. Is that any good? It's a good starting point, yes, but it certainly isn't sufficient. > Can there be a real vaccination built in to FreeBSD? Yes. It's easy to compare your system against the software from the OS install disk; where many people encounter problems is with the changes they've made afterwards themselves. How complete are your backups? -Chuck To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?009101c29a34$1b96f4d0$0301a8c0>