Need urgent help regarding security

Steve Bertrand iaccounts at
Thu Nov 17 03:06:43 GMT 2005

> - "top" lists nothing significant. 97% idle CPU

Irrelavent, the process is probably idle right now.

> - "w" only shows myself and one other legit user logged in 
> who is editing config files with vi

Perhaps they aren't currently logged in.

> - "last" shows nothing but myself and that one other user

What is the last entry that last shows (no pun intended) what is
the date?

> - "ps -aux" doesn't say anything about psyBNC or bnc. 
> everything looks normal as of now

Ok, here's what to do:

# pkg_add -r nmap
# rehash
# nmap -sS -P0

...then (probably futile):

# nmap -sU -P0

which will tell you if you are listening on ports you *shouldn't* have

> - It's a FreeBSD 5.4-RELEASE machine with a generic kernel 
> except with quota support

You still didn't answer the FTP question. What services should be
running on it?

You can easily rebuild a new kernel with:


Then create a script blocking ALL ports exept those what you need.
Especially only allowing SSH access to the box from limited IP's. If you
need help, just ask.

This sounds like a brute-forced password hack via remote access, or
overflow via a vulnerable software that should not be Internet facing.

Don't give me your IP if you don't want, just tell us (or me personally)
what should be Internet facing (as far as services), and get you fixed

Have you checked your daily cron outputs lately? What do they say?

nmap is your friend, and so is IPFW. Figure out exactly what you need to
face the Internet, and staple the rest closed.


> -Mark
> --
> GnuPG Public Key:
> Internet Radio:
> Party107 (Trance/Electronic) - Rock 
> 101.9 The Edge (Rock) -
> IRC:
> MIXXnet IRC Network - (Nick: MIXX941)

More information about the freebsd-questions mailing list