Need urgent help regarding security
iaccounts at ibctech.ca
Thu Nov 17 03:06:43 GMT 2005
> - "top" lists nothing significant. 97% idle CPU
Irrelavent, the process is probably idle right now.
> - "w" only shows myself and one other legit user logged in
> who is editing config files with vi
Perhaps they aren't currently logged in.
> - "last" shows nothing but myself and that one other user
What is the last entry that last shows (no pun intended)...ie: what is
> - "ps -aux" doesn't say anything about psyBNC or bnc.
> everything looks normal as of now
Ok, here's what to do:
# pkg_add -r nmap
# nmap -sS -P0 my.ip.server.com
...then (probably futile):
# nmap -sU -P0 my.ip.server.com
which will tell you if you are listening on ports you *shouldn't* have
> - It's a FreeBSD 5.4-RELEASE machine with a generic kernel
> except with quota support
You still didn't answer the FTP question. What services should be
running on it?
You can easily rebuild a new kernel with:
Then create a script blocking ALL ports exept those what you need.
Especially only allowing SSH access to the box from limited IP's. If you
need help, just ask.
This sounds like a brute-forced password hack via remote access, or
overflow via a vulnerable software that should not be Internet facing.
Don't give me your IP if you don't want, just tell us (or me personally)
what should be Internet facing (as far as services), and get you fixed
Have you checked your daily cron outputs lately? What do they say?
nmap is your friend, and so is IPFW. Figure out exactly what you need to
face the Internet, and staple the rest closed.
> GnuPG Public Key:
> Internet Radio:
> Party107 (Trance/Electronic) - http://www.party107.com Rock
> 101.9 The Edge (Rock) - http://www.rock1019.net
> MIXXnet IRC Network - irc.mixxnet.net (Nick: MIXX941)
More information about the freebsd-questions