Need urgent help regarding security

David Kirchner dpk at
Thu Nov 17 03:37:50 GMT 2005

On 11/16/05, Mark Kane <mark at> wrote:
> I also see a psyBNC server listening on port 7978:
> server# sockstat -l4 | grep psybnc
> wicked6  psybnc     15819 3  tcp4   *:7978                *:*
> Funny thing is there is no process by wicked6 (or by anyone currently)
> called "psybnc". I can connect to an IP on that server on port 7978 and
> get a psyBNC though. I've checked for other processes by wicked6, nothing.

It's very common for them to overwrite argv[0], or use setproctitle
stuff to hide the real name of the program. Some programs don't read
that -- sockstat and top are two that don't read the modified program

> It's trying to make a connection on 6667 to that IP as I said:
> server1# netstat -n | grep 6667
> tcp4       0      0  xx.xx.xx.xx.64243    SYN_SENT

netstat -aAn (specifically, the -A) instructs netstat to prepend each
line with the memory address of the network connection. If you run
that you'll see something like:

f0d710c0 tcp4       0      0 ESTABLISHED

(sometimes, the port numbers get truncated, so you may have to grep
for the destination IP instead of the port number.)

You can take that address and run fstat | grep address:

$ fstat | grep f0d710c0
www      iroffer    19133    3* internet stream tcp f0d710c0

In this specific case, it's an iroffer program run from some PHP
backdoor someone installed on the server (see for
a description of the present/near-future of these PHP backdoors). In
your case it may be that you're running suexec or suPHP, or it may not
have been started from the web at all. If that's the case, you may be
able to find out what else is going on by ensuring /proc is mounted
and then run: ps -uxwwep pid:

ps -uxwwep 19133
www  19133  0.0  0.0  1244  424  ??  S    22Oct05  12:52.03 ...
DOC_ROOT=/usr/home/user/websites/ ...

You may also see SCRIPT_FILENAME or PWD or other environment variables
that may give you hints as to where this was started from.

There are some other programs that'll do all this for you, I think
'lsof' is one. I dunno. I prefer to use base system utilities. But to
each their own.

Of course, if the listening process isn't showing up at all, but you
can still connect to the port, then you may have some sort of hacked
kld loaded or hacked ps, in which case the attacker has root, which is
a far more serious situation.

More information about the freebsd-questions mailing list