From owner-freebsd-stable Mon Dec 2 10:45:18 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A092237B401 for ; Mon, 2 Dec 2002 10:45:16 -0800 (PST) Received: from smtpproxy2.mitre.org (smtpproxy2.mitre.org [192.80.55.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id D9BBC43ED1 for ; Mon, 2 Dec 2002 10:45:15 -0800 (PST) (envelope-from jandrese@mitre.org) Received: from avsrv1.mitre.org (avsrv1.mitre.org [129.83.20.58]) by smtpproxy2.mitre.org (8.11.3/8.11.3) with ESMTP id gB2Ij9V29070; Mon, 2 Dec 2002 13:45:09 -0500 (EST) Received: from MAILHUB2 (mailhub2.mitre.org [129.83.221.18]) by smtpsrv1.mitre.org (8.11.3/8.11.3) with ESMTP id gB2Ij7i15669; Mon, 2 Dec 2002 13:45:07 -0500 (EST) Received: from mm112324-2k.mitre.org (128.29.3.65) by mailhub2.mitre.org with SMTP id 304691; Mon, 02 Dec 2002 13:45:01 -0500 Message-ID: <3DEBAA2B.8060104@mitre.org> Date: Mon, 02 Dec 2002 13:44:59 -0500 From: Jason Andresen User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2b) Gecko/20021016 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Wayne M Barnes Cc: freebsd-stable@freebsd.org Subject: Re: psybnc and IRC hack References: <20021202123616.A33705@klentaq.com> In-Reply-To: <20021202123616.A33705@klentaq.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Wayne M Barnes wrote: >Dear FreeBSD, > > How can I best recover from, and defend myself from, a hacker >who breaks into my system and runs a program called psybnc >without my permission? I think he is using my system as a front/slave. > > For now, I have killed psybnc, deleted the directory of stuff >that he put in, and changed my password. Is that any good? > > Can there be a real vaccination built in to FreeBSD? > The only way you can be sure now is to do a fresh reinstall of the entire OS from CD. The cracker could have installed any number of nasty little surprises for you, including trojan kernel modules, trojaned binaries, or even a trojaned compiler. You should consider your new password compromisied, as passwd may have been trojaned. If you have an offline backup somewhere from before your system compromised, you may use that as well. -- \ |_ _|__ __|_ \ __| Jason Andresen jandrese@mitre.org |\/ | | | / _| Network and Distributed Systems Engineer _| _|___| _| _|_\___| Office: 703-883-7755 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message