Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 11 Aug 2007 13:54:29 +0200
From:      "Heiko Wundram (Beenic)" <wundram@beenic.net>
To:        freebsd-questions@freebsd.org
Subject:   Re: server was hacked
Message-ID:  <200708111354.29719.wundram@beenic.net>
In-Reply-To: <20070811110231.M84490@bmyster.com>
References:  <20070811110231.M84490@bmyster.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Am Samstag 11 August 2007 13:20:31 schrieb Brent:
> Im running FBSD 5.4 as a web server the server is behind a cisco firewall
> /router and the server has alot of CMS jumila / mambo sites on it. I
> noticed that when i ran sockstat i was seeing multiple IPs connected to
> high ports on the server with a process id of "psybnc" . Did some looking
> around & found that this is a IRC relay program that was installed through
> a compromised mambo site.

That was a know Mambo vulnerability which also hit a client of ours. It's not 
a root compromise, though, AFAIR.

> On FBSD how do you checksum binaries on the system to ensure someone hasnt
> replaced one with there own binary.

Install security/tripwire and configure properly.

-- 
Heiko Wundram
Product & Application Development



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?200708111354.29719.wundram>