Date: Sat, 11 Aug 2007 07:20:31 -0400 From: "Brent" <mrb@bmyster.com> To: questions@freebsd.org Subject: server was hacked Message-ID: <20070811110231.M84490@bmyster.com>
next in thread | raw e-mail | index | archive | help
Im running FBSD 5.4 as a web server the server is behind a cisco firewall /router and the server has alot of CMS jumila / mambo sites on it. I noticed that when i ran sockstat i was seeing multiple IPs connected to high ports on the server with a process id of "psybnc" . Did some looking around & found that this is a IRC relay program that was installed through a compromised mambo site. after getting rid of the program I changed our router to disallow this type of traffic..& started trying to fix the box. Im pretty sure that root wasnt compromised but im going to re-install anyway. my question has anyone run into this problem with CMS sites, HOw excatly are they getting in ? what are the things I can do to prevent this. On FBSD how do you checksum binaries on the system to ensure someone hasnt replaced one with there own binary. thank you...and & all help is greatly appreciated -- Brent
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070811110231.M84490>