Need urgent help regarding security
mark at mkproductions.org
Thu Nov 17 05:08:14 GMT 2005
Steve Bertrand wrote:
>>- "top" lists nothing significant. 97% idle CPU
> Irrelavent, the process is probably idle right now.
I understand, but I was trying to give you the results of the commands
that you asked Mark Alvarez to run.
>>- "w" only shows myself and one other legit user logged in
>>who is editing config files with vi
> Perhaps they aren't currently logged in.
It doesn't look like someone got SSH access, it looks more to me like
it's a vulnerable PHP script or something. Not sure, but that would be
>>- "last" shows nothing but myself and that one other user
> What is the last entry that last shows (no pun intended)...ie: what is
> the date?
The dates on "last" range from Nov 1st to today. All but 2 are from my
IP logging in, and the other are users who just edit config files and
untar files on the server (I've verified that it's their real legit IP's)
>>- "ps -aux" doesn't say anything about psyBNC or bnc.
>>everything looks normal as of now
> Ok, here's what to do:
> # pkg_add -r nmap
> # rehash
> # nmap -sS -P0 my.ip.server.com
> ...then (probably futile):
> # nmap -sU -P0 my.ip.server.com
> which will tell you if you are listening on ports you *shouldn't* have
I will email you off the list with that info.
>>- It's a FreeBSD 5.4-RELEASE machine with a generic kernel
>>except with quota support
> You still didn't answer the FTP question. What services should be
> running on it?
Well I am a different Mark than originally posted. I just saw this on
the list and found a connection attempt through netstat to the same IP
and port as the original Mark that posted.
I, unlike Mark Alvarez run more than just an FTP server. I will email
you with those services.
> You can easily rebuild a new kernel with:
> options IPFIREWALL
> options IPFIREWALL_VERBOSE
> options IPFIREWALL_VERBOSE_LIMIT_1000
> Then create a script blocking ALL ports exept those what you need.
> Especially only allowing SSH access to the box from limited IP's. If you
> need help, just ask.
Thanks for the suggestion. I personally have no experience with IPFW (I
have played with IPF a little bit on a test box here) so I will have to
think on that a little. I am guessing you suggest IPFW as opposed to IPF
correct? I read up on IPFW and IPF in the handbook when I was
experimenting with firewalls and the rule syntax and things seemed more
logical to me with IPF, but I did not look that far in depth.
My servers are also remote so I would have to make sure I didn't
firewall myself out when enabling any firewall. ;)
> This sounds like a brute-forced password hack via remote access, or
> overflow via a vulnerable software that should not be Internet facing.
> Don't give me your IP if you don't want, just tell us (or me personally)
> what should be Internet facing (as far as services), and get you fixed
I will email you the services that need to be open.
> Have you checked your daily cron outputs lately? What do they say?
All I see is legit cronjobs from a billing system that I run and some
from cPanel such as cpumonitor and backups.
> nmap is your friend, and so is IPFW. Figure out exactly what you need to
> face the Internet, and staple the rest closed.
Thanks again for your help.
GnuPG Public Key:
Party107 (Trance/Electronic) - http://www.party107.com
Rock 101.9 The Edge (Rock) - http://www.rock1019.net
MIXXnet IRC Network - irc.mixxnet.net (Nick: MIXX941)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 187 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20051116/bb18d9df/signature.bin
More information about the freebsd-questions