From owner-freebsd-questions@FreeBSD.ORG Mon Apr 19 06:16:50 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F6A816A4CE for ; Mon, 19 Apr 2004 06:16:50 -0700 (PDT) Received: from ns1.tiadon.com (SMTP.tiadon.com [69.27.132.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id B91FB43D46 for ; Mon, 19 Apr 2004 06:16:47 -0700 (PDT) (envelope-from kdk@daleco.biz) Received: from daleco.biz ([69.27.131.0]) by ns1.tiadon.com with Microsoft SMTPSVC(6.0.3790.0); Mon, 19 Apr 2004 08:17:34 -0500 Message-ID: <4083D13C.4020401@daleco.biz> Date: Mon, 19 Apr 2004 08:16:44 -0500 From: "Kevin D. Kinsey, DaleCo, S.P." User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040406 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "James T. Harrison" References: <000801c4260a$ab688a20$87312330@icsi.local> In-Reply-To: <000801c4260a$ab688a20$87312330@icsi.local> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 19 Apr 2004 13:17:35.0984 (UTC) FILETIME=[AE5C6700:01C42610] cc: freebsd-questions@freebsd.org Subject: Re: comments X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Apr 2004 13:16:50 -0000 James T. Harrison wrote: >My server had some apps running that should not have been there. > > > That is probably true. It's possible that Microsoft Windows(R) is one of them, in this case. >You have a hacker using your site to gather info on servers. > > That doesn't ring true. Your machine is the one infected .... The material you posted is not evidence of this. The FreeBSD ftp sites are public sites, and the alleged "hacker" appears to simply be, in your example, connecting to a number of known high speed ftp servers to mine data about your internet connectivity. >What are your plans to stop? What is your phone number and contact name? > > The information for freebsd.org is, well, kind of where you'd expect it to be --- at the Project's web site. >Here is part of the script. > > I note that it's a Windows script, so it is, I suppose, rather OT for this list.... >Notice USA as the country. > > > I notice a number of countries mentioned. Considering the Internet is world wide, that's not surprising to me. >This is one of many batch files that were found on my server. > > If it is your server, you should probably be asking yourself, "what about my server and configuration allowed these files to be placed there, and what can I do to both fix the situation now and see that it doesn't happen again?" Perhaps you should look into running a more secure operating system on a server that is connected to a hostile Internet. Could we recommend a *BSD ? Kevin Kinsey