Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 11 Aug 2007 07:20:31 -0400
From:      "Brent" <mrb@bmyster.com>
To:        questions@freebsd.org
Subject:   server was hacked
Message-ID:  <20070811110231.M84490@bmyster.com>

Next in thread | Raw E-Mail | Index | Archive | Help
Im running FBSD 5.4 as a web server the server is behind a cisco firewall
/router and the server has alot of CMS jumila / mambo sites on it. I noticed
that when i ran sockstat i was seeing multiple IPs connected to high ports on
the server with a process id of "psybnc" . Did some looking around & found
that this is a IRC relay program that was installed through a compromised
mambo site. after getting rid of the program I changed our router to disallow
this type of traffic..& started trying to fix the box. Im pretty sure that
root wasnt compromised but im going to re-install anyway. my question has
anyone run into this problem with CMS sites, HOw excatly are they getting in ?
what are the things I can do to prevent this. On FBSD how do you checksum
binaries on the system to ensure someone hasnt replaced one with there own binary.

thank you...and & all help is greatly appreciated


--
Brent 




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20070811110231.M84490>