Need urgent help regarding security
Mark Kane
mark at mkproductions.org
Thu Nov 17 05:42:29 GMT 2005
David Kirchner wrote:
> On 11/16/05, Mark Kane <mark at mkproductions.org> wrote:
>
>>I also see a psyBNC server listening on port 7978:
>>
>>server# sockstat -l4 | grep psybnc
>>USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
>>wicked6 psybnc 15819 3 tcp4 *:7978 *:*
>>
>>Funny thing is there is no process by wicked6 (or by anyone currently)
>>called "psybnc". I can connect to an IP on that server on port 7978 and
>>get a psyBNC though. I've checked for other processes by wicked6, nothing.
>
>
> It's very common for them to overwrite argv[0], or use setproctitle
> stuff to hide the real name of the program. Some programs don't read
> that -- sockstat and top are two that don't read the modified program
> name.
>
>
>>It's trying to make a connection on 6667 to that IP as I said:
>>
>>server1# netstat -n | grep 6667
>>tcp4 0 0 xx.xx.xx.xx.64243 195.197.175.21.6667 SYN_SENT
>
>
> netstat -aAn (specifically, the -A) instructs netstat to prepend each
> line with the memory address of the network connection. If you run
> that you'll see something like:
>
> f0d710c0 tcp4 0 0 xxx.xxx.xxx.xxx.29 211.119.136.240.66 ESTABLISHED
>
> (sometimes, the port numbers get truncated, so you may have to grep
> for the destination IP instead of the port number.)
>
> You can take that address and run fstat | grep address:
>
> $ fstat | grep f0d710c0
> www iroffer 19133 3* internet stream tcp f0d710c0
>
> In this specific case, it's an iroffer program run from some PHP
> backdoor someone installed on the server (see
> http://malformed.org/2005/11/15/zend-encoder-bad-for-the-internet/ for
> a description of the present/near-future of these PHP backdoors). In
> your case it may be that you're running suexec or suPHP, or it may not
> have been started from the web at all. If that's the case, you may be
> able to find out what else is going on by ensuring /proc is mounted
> and then run: ps -uxwwep pid:
>
> ps -uxwwep 19133
> USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
> www 19133 0.0 0.0 1244 424 ?? S 22Oct05 12:52.03 ...
> DOC_ROOT=/usr/home/user/websites/domain.com ...
>
> You may also see SCRIPT_FILENAME or PWD or other environment variables
> that may give you hints as to where this was started from.
>
> There are some other programs that'll do all this for you, I think
> 'lsof' is one. I dunno. I prefer to use base system utilities. But to
> each their own.
>
> Of course, if the listening process isn't showing up at all, but you
> can still connect to the port, then you may have some sort of hacked
> kld loaded or hacked ps, in which case the attacker has root, which is
> a far more serious situation.
Okay well I looked around some more now and found it. It was in
/var/tmp/.packlist.0928456/ and it was showing up as "[psybnc]" (wasn't
there before). A kill -9 got rid of it.
I'm now grepping to try to find out what may have created that or
launched it.
Thanks
-Mark
--
GnuPG Public Key:
http://www.mkproductions.org/mk_pubkey.asc
Internet Radio:
Party107 (Trance/Electronic) - http://www.party107.com
Rock 101.9 The Edge (Rock) - http://www.rock1019.net
IRC:
MIXXnet IRC Network - irc.mixxnet.net (Nick: MIXX941)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20051116/3d570e08/signature.bin
More information about the freebsd-questions
mailing list