From owner-freebsd-questions@FreeBSD.ORG  Sat Aug 11 11:54:31 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B035416A418
	for <freebsd-questions@freebsd.org>;
	Sat, 11 Aug 2007 11:54:31 +0000 (UTC)
	(envelope-from wundram@beenic.net)
Received: from mail.beenic.net (mail.beenic.net [83.246.72.40])
	by mx1.freebsd.org (Postfix) with ESMTP id 7522C13C46C
	for <freebsd-questions@freebsd.org>;
	Sat, 11 Aug 2007 11:54:31 +0000 (UTC)
	(envelope-from wundram@beenic.net)
Received: from phoenix (hnvr-4db2e349.pool.einsundeins.de [77.178.227.73])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.beenic.net (Postfix) with ESMTP id BEEEFA44529
	for <freebsd-questions@freebsd.org>;
	Sat, 11 Aug 2007 13:51:59 +0200 (CEST)
From: "Heiko Wundram (Beenic)" <wundram@beenic.net>
Organization: Beenic Networks GmbH
To: freebsd-questions@freebsd.org
Date: Sat, 11 Aug 2007 13:54:29 +0200
User-Agent: KMail/1.9.7
References: <20070811110231.M84490@bmyster.com>
In-Reply-To: <20070811110231.M84490@bmyster.com>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200708111354.29719.wundram@beenic.net>
Subject: Re: server was hacked
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Aug 2007 11:54:31 -0000

Am Samstag 11 August 2007 13:20:31 schrieb Brent:
> Im running FBSD 5.4 as a web server the server is behind a cisco firewall
> /router and the server has alot of CMS jumila / mambo sites on it. I
> noticed that when i ran sockstat i was seeing multiple IPs connected to
> high ports on the server with a process id of "psybnc" . Did some looking
> around & found that this is a IRC relay program that was installed through
> a compromised mambo site.

That was a know Mambo vulnerability which also hit a client of ours. It's not 
a root compromise, though, AFAIR.

> On FBSD how do you checksum binaries on the system to ensure someone hasnt
> replaced one with there own binary.

Install security/tripwire and configure properly.

-- 
Heiko Wundram
Product & Application Development