Need urgent help regarding security

Thu Nov 17 05:08:14 GMT 2005

Steve Bertrand wrote:
>>- "top" lists nothing significant. 97% idle CPU
> 
> 
> Irrelavent, the process is probably idle right now.

I understand, but I was trying to give you the results of the commands
that you asked Mark Alvarez to run.

>>- "w" only shows myself and one other legit user logged in 
>>who is editing config files with vi
> 
> 
> Perhaps they aren't currently logged in.

It doesn't look like someone got SSH access, it looks more to me like
it's a vulnerable PHP script or something. Not sure, but that would be
my guess.

>>- "last" shows nothing but myself and that one other user
> 
> 
> What is the last entry that last shows (no pun intended)...ie: what is
> the date?

The dates on "last" range from Nov 1st to today. All but 2 are from my
IP logging in, and the other are users who just edit config files and
untar files on the server (I've verified that it's their real legit IP's)

>>- "ps -aux" doesn't say anything about psyBNC or bnc. 
>>everything looks normal as of now
> 
> 
> Ok, here's what to do:
> 
> # pkg_add -r nmap
> # rehash
> # nmap -sS -P0 my.ip.server.com
> 
> ...then (probably futile):
> 
> # nmap -sU -P0 my.ip.server.com
> 
> which will tell you if you are listening on ports you *shouldn't* have
> open.

I will email you off the list with that info.

>>- It's a FreeBSD 5.4-RELEASE machine with a generic kernel 
>>except with quota support
> 
> 
> You still didn't answer the FTP question. What services should be
> running on it?

Well I am a different Mark than originally posted. I just saw this on
the list and found a connection attempt through netstat to the same IP
and port as the original Mark that posted.

I, unlike Mark Alvarez run more than just an FTP server. I will email
you with those services.

> You can easily rebuild a new kernel with:
> 
> options IPFIREWALL
> options IPFIREWALL_VERBOSE
> options IPFIREWALL_VERBOSE_LIMIT_1000
> 
> Then create a script blocking ALL ports exept those what you need.
> Especially only allowing SSH access to the box from limited IP's. If you
> need help, just ask.

Thanks for the suggestion. I personally have no experience with IPFW (I
have played with IPF a little bit on a test box here) so I will have to
think on that a little. I am guessing you suggest IPFW as opposed to IPF
correct? I read up on IPFW and IPF in the handbook when I was
experimenting with firewalls and the rule syntax and things seemed more
logical to me with IPF, but I did not look that far in depth.

My servers are also remote so I would have to make sure I didn't
firewall myself out when enabling any firewall. ;)

> This sounds like a brute-forced password hack via remote access, or
> overflow via a vulnerable software that should not be Internet facing.
> 
> Don't give me your IP if you don't want, just tell us (or me personally)
> what should be Internet facing (as far as services), and get you fixed
> up.

I will email you the services that need to be open.

> Have you checked your daily cron outputs lately? What do they say?

All I see is legit cronjobs from a billing system that I run and some
from cPanel such as cpumonitor and backups.

> nmap is your friend, and so is IPFW. Figure out exactly what you need to
> face the Internet, and staple the rest closed.
> 
> Steve

Thanks again for your help.

-Mark Kane

-- 
GnuPG Public Key:
http://www.mkproductions.org/mk_pubkey.asc

Internet Radio:
Party107 (Trance/Electronic) - http://www.party107.com
Rock 101.9 The Edge (Rock) - http://www.rock1019.net

IRC:
MIXXnet IRC Network - irc.mixxnet.net (Nick: MIXX941)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20051116/bb18d9df/signature.bin