Date: Thu, 17 Nov 2005 10:43:20 -0600 From: Paul Schmehl <pauls@utdallas.edu> To: Steve Bertrand <iaccounts@ibctech.ca>, 'Mark Jayson Alvarez' <jay2xra@yahoo.com> Cc: 'FreeBSD Questions' <questions@freebsd.org> Subject: RE: Need urgent help regarding security Message-ID: <8BFD83D4B5B560BBB38AC886@utd59514.utdallas.edu> In-Reply-To: <20051117013004.CBEA243D45@mx1.FreeBSD.org> References: <20051117013004.CBEA243D45@mx1.FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--On Wednesday, November 16, 2005 20:29:55 -0500 Steve Bertrand <iaccounts@ibctech.ca> wrote: > >> I think we have a serious problem. One of our old server >> running FreeBSD 4.9 have been compromised and is now >> connected to an ircd server.. >> 195.204.1.132.6667 ESTABLISHED > > Ran into this recently. Please post the entire output from: > ># top ># w ># last ># ps -aux ># uname -a > Just keep in mind that any or all of these could be hacked versions designed to hide everything the attacker is doing. Once a box has been hacked, you can no longer trust any of the binaries unless you can verify their integrity with MD5 sums from the same binaries on a known good box. Paul Schmehl (pauls@utdallas.edu) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8BFD83D4B5B560BBB38AC886>