Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 11 Aug 2007 13:54:29 +0200
From:      "Heiko Wundram (Beenic)" <>
Subject:   Re: server was hacked
Message-ID:  <>
In-Reply-To: <>
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Am Samstag 11 August 2007 13:20:31 schrieb Brent:
> Im running FBSD 5.4 as a web server the server is behind a cisco firewall
> /router and the server has alot of CMS jumila / mambo sites on it. I
> noticed that when i ran sockstat i was seeing multiple IPs connected to
> high ports on the server with a process id of "psybnc" . Did some looking
> around & found that this is a IRC relay program that was installed through
> a compromised mambo site.

That was a know Mambo vulnerability which also hit a client of ours. It's not 
a root compromise, though, AFAIR.

> On FBSD how do you checksum binaries on the system to ensure someone hasnt
> replaced one with there own binary.

Install security/tripwire and configure properly.

Heiko Wundram
Product & Application Development

Want to link to this message? Use this URL: <>