Need urgent help regarding security

Mark Kane mark at mkproductions.org
Thu Nov 17 05:42:29 GMT 2005 

David Kirchner wrote:
> On 11/16/05, Mark Kane <mark at mkproductions.org> wrote:
> 
>>I also see a psyBNC server listening on port 7978:
>>
>>server# sockstat -l4 | grep psybnc
>>USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
>>wicked6  psybnc     15819 3  tcp4   *:7978                *:*
>>
>>Funny thing is there is no process by wicked6 (or by anyone currently)
>>called "psybnc". I can connect to an IP on that server on port 7978 and
>>get a psyBNC though. I've checked for other processes by wicked6, nothing.
> 
> 
> It's very common for them to overwrite argv[0], or use setproctitle
> stuff to hide the real name of the program. Some programs don't read
> that -- sockstat and top are two that don't read the modified program
> name.
> 
> 
>>It's trying to make a connection on 6667 to that IP as I said:
>>
>>server1# netstat -n | grep 6667
>>tcp4       0      0  xx.xx.xx.xx.64243    195.197.175.21.6667    SYN_SENT
> 
> 
> netstat -aAn (specifically, the -A) instructs netstat to prepend each
> line with the memory address of the network connection. If you run
> that you'll see something like:
> 
> f0d710c0 tcp4       0      0  xxx.xxx.xxx.xxx.29 211.119.136.240.66 ESTABLISHED
> 
> (sometimes, the port numbers get truncated, so you may have to grep
> for the destination IP instead of the port number.)
> 
> You can take that address and run fstat | grep address:
> 
> $ fstat | grep f0d710c0
> www      iroffer    19133    3* internet stream tcp f0d710c0
> 
> In this specific case, it's an iroffer program run from some PHP
> backdoor someone installed on the server (see
> http://malformed.org/2005/11/15/zend-encoder-bad-for-the-internet/ for
> a description of the present/near-future of these PHP backdoors). In
> your case it may be that you're running suexec or suPHP, or it may not
> have been started from the web at all. If that's the case, you may be
> able to find out what else is going on by ensuring /proc is mounted
> and then run: ps -uxwwep pid:
> 
> ps -uxwwep 19133
> USER   PID %CPU %MEM   VSZ  RSS  TT  STAT STARTED      TIME COMMAND
> www  19133  0.0  0.0  1244  424  ??  S    22Oct05  12:52.03 ...
> DOC_ROOT=/usr/home/user/websites/domain.com ...
> 
> You may also see SCRIPT_FILENAME or PWD or other environment variables
> that may give you hints as to where this was started from.
> 
> There are some other programs that'll do all this for you, I think
> 'lsof' is one. I dunno. I prefer to use base system utilities. But to
> each their own.
> 
> Of course, if the listening process isn't showing up at all, but you
> can still connect to the port, then you may have some sort of hacked
> kld loaded or hacked ps, in which case the attacker has root, which is
> a far more serious situation.

Okay well I looked around some more now and found it. It was in
/var/tmp/.packlist.0928456/ and it was showing up as "[psybnc]" (wasn't
there before). A kill -9 got rid of it.

I'm now grepping to try to find out what may have created that or
launched it.

Thanks

-Mark

-- 
GnuPG Public Key:
http://www.mkproductions.org/mk_pubkey.asc

Internet Radio:
Party107 (Trance/Electronic) - http://www.party107.com
Rock 101.9 The Edge (Rock) - http://www.rock1019.net

IRC:
MIXXnet IRC Network - irc.mixxnet.net (Nick: MIXX941)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20051116/3d570e08/signature.bin

More information about the freebsd-questions mailing list