Need urgent help regarding security
David Kirchner
dpk at dpk.net
Thu Nov 17 03:37:50 GMT 2005
On 11/16/05, Mark Kane <mark at mkproductions.org> wrote:
> I also see a psyBNC server listening on port 7978:
>
> server# sockstat -l4 | grep psybnc
> USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
> wicked6 psybnc 15819 3 tcp4 *:7978 *:*
>
> Funny thing is there is no process by wicked6 (or by anyone currently)
> called "psybnc". I can connect to an IP on that server on port 7978 and
> get a psyBNC though. I've checked for other processes by wicked6, nothing.
It's very common for them to overwrite argv[0], or use setproctitle
stuff to hide the real name of the program. Some programs don't read
that -- sockstat and top are two that don't read the modified program
name.
> It's trying to make a connection on 6667 to that IP as I said:
>
> server1# netstat -n | grep 6667
> tcp4 0 0 xx.xx.xx.xx.64243 195.197.175.21.6667 SYN_SENT
netstat -aAn (specifically, the -A) instructs netstat to prepend each
line with the memory address of the network connection. If you run
that you'll see something like:
f0d710c0 tcp4 0 0 xxx.xxx.xxx.xxx.29 211.119.136.240.66 ESTABLISHED
(sometimes, the port numbers get truncated, so you may have to grep
for the destination IP instead of the port number.)
You can take that address and run fstat | grep address:
$ fstat | grep f0d710c0
www iroffer 19133 3* internet stream tcp f0d710c0
In this specific case, it's an iroffer program run from some PHP
backdoor someone installed on the server (see
http://malformed.org/2005/11/15/zend-encoder-bad-for-the-internet/ for
a description of the present/near-future of these PHP backdoors). In
your case it may be that you're running suexec or suPHP, or it may not
have been started from the web at all. If that's the case, you may be
able to find out what else is going on by ensuring /proc is mounted
and then run: ps -uxwwep pid:
ps -uxwwep 19133
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
www 19133 0.0 0.0 1244 424 ?? S 22Oct05 12:52.03 ...
DOC_ROOT=/usr/home/user/websites/domain.com ...
You may also see SCRIPT_FILENAME or PWD or other environment variables
that may give you hints as to where this was started from.
There are some other programs that'll do all this for you, I think
'lsof' is one. I dunno. I prefer to use base system utilities. But to
each their own.
Of course, if the listening process isn't showing up at all, but you
can still connect to the port, then you may have some sort of hacked
kld loaded or hacked ps, in which case the attacker has root, which is
a far more serious situation.
More information about the freebsd-questions
mailing list