what www perl script is running?
Ruben de Groot
mail25 at bzerk.org
Tue Aug 25 13:50:05 UTC 2009
On Tue, Aug 25, 2009 at 06:30:17AM -0700, Colin Brace typed:
>
> Bill, one more thing:
>
>
> Bill Moran wrote:
> >
> > You can add an ipfw rule to prevent the script from calling home, which
> > will effectively render it neutered until you can track down and actually
> > _fix_ the problem.
>
> Mike Bristow above wrote: "The script is talking to 94.102.51.57 on port
> 7000". OK, so I how do I know what port the script is using for outgoing
> traffic on MY box? 7000 is the remote host port, right?
gw:51295->94.102.51.57:afs3-fileserver (ESTABLISHED)
It's using local port 51295. But that's irrelevant as ports for outgoing
connections are dynamically allocated.
> FWIW, here are my core PF lines:
>
> pass out quick on $ext_if proto 41
> pass out quick on gif0 inet6
> pass in quick on gif0 inet6 proto icmp6
> block in log
>
> That is to say: nothing is allowed in unless explicitly allowed
> Everything allowed out.
Which is exactly what the rogue perl script was using to connect to it's "home".
Once established this connection could have been used for allmost anything,
including downloading other malicious software or setting up a tunnel into
your LAN.
Ruben
More information about the freebsd-questions
mailing list