what www perl script is running?
Paul Schmehl
pschmehl_lists at tx.rr.com
Tue Aug 25 14:36:36 UTC 2009
--On Tuesday, August 25, 2009 07:26:04 -0500 Bill Moran
<wmoran at potentialtech.com> wrote:
>>
>> I am currently killing the process with the following bash command while I
>> decide what to do next:
>>
>> $ while x=1 ; do sudo killall -9 perl5.8.9 && echo "killed..." ; sleep 15;
>> done
>
> You can add an ipfw rule to prevent the script from calling home, which
> will effectively render it neutered until you can track down and actually
> _fix_ the problem.
>
> In reality, good security practice says that you should have IPFW (or some
> other firewall) running and only allowing known good traffic right from
> the start, which might have protected you from this in the first place.
>
I disagree. I used to believe this, but experience has taught me otherwise.
When you run a firewall on a host, you open the ports for the services you want
to offer. The firewall provides you no protection at all against hackers
attacking the services that are listening on ports opened through the firewall.
All a host firewall does is consume CPU and memory and give you a warm fuzzy
that doesn't really add to security at all and may well make you less vigilant.
(And yes, I know I'm a security heretic in some quarters.)
Firewalls are much more effective when they're not on the box(es) you're trying
to protect.
I think it's highly likely that this compromise was through the web server
attacking a vulnerable service or a poorly coded script or a permissions
problem. And it sounds like the compromise is limited (right now) to the web
service. In fact it sounds a great deal like PsyBNC.
http://en.wikipedia.org/wiki/PsyBNC
>> Is it worth first trying to determine how my system was broken into?
>
> Yes. Otherwise you'll probably just get a repeat once you've reinstalled.
>
You're absolutely correct. The old aphorism about always doing what you've
always done always produces the results you've always gotten certainly applies
here.
--
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
More information about the freebsd-questions
mailing list