Need urgent help regarding security

Mark Kane mark at
Thu Nov 17 05:42:29 GMT 2005

David Kirchner wrote:
> On 11/16/05, Mark Kane <mark at> wrote:
>>I also see a psyBNC server listening on port 7978:
>>server# sockstat -l4 | grep psybnc
>>wicked6  psybnc     15819 3  tcp4   *:7978                *:*
>>Funny thing is there is no process by wicked6 (or by anyone currently)
>>called "psybnc". I can connect to an IP on that server on port 7978 and
>>get a psyBNC though. I've checked for other processes by wicked6, nothing.
> It's very common for them to overwrite argv[0], or use setproctitle
> stuff to hide the real name of the program. Some programs don't read
> that -- sockstat and top are two that don't read the modified program
> name.
>>It's trying to make a connection on 6667 to that IP as I said:
>>server1# netstat -n | grep 6667
>>tcp4       0      0  xx.xx.xx.xx.64243    SYN_SENT
> netstat -aAn (specifically, the -A) instructs netstat to prepend each
> line with the memory address of the network connection. If you run
> that you'll see something like:
> f0d710c0 tcp4       0      0 ESTABLISHED
> (sometimes, the port numbers get truncated, so you may have to grep
> for the destination IP instead of the port number.)
> You can take that address and run fstat | grep address:
> $ fstat | grep f0d710c0
> www      iroffer    19133    3* internet stream tcp f0d710c0
> In this specific case, it's an iroffer program run from some PHP
> backdoor someone installed on the server (see
> for
> a description of the present/near-future of these PHP backdoors). In
> your case it may be that you're running suexec or suPHP, or it may not
> have been started from the web at all. If that's the case, you may be
> able to find out what else is going on by ensuring /proc is mounted
> and then run: ps -uxwwep pid:
> ps -uxwwep 19133
> www  19133  0.0  0.0  1244  424  ??  S    22Oct05  12:52.03 ...
> DOC_ROOT=/usr/home/user/websites/ ...
> You may also see SCRIPT_FILENAME or PWD or other environment variables
> that may give you hints as to where this was started from.
> There are some other programs that'll do all this for you, I think
> 'lsof' is one. I dunno. I prefer to use base system utilities. But to
> each their own.
> Of course, if the listening process isn't showing up at all, but you
> can still connect to the port, then you may have some sort of hacked
> kld loaded or hacked ps, in which case the attacker has root, which is
> a far more serious situation.

Okay well I looked around some more now and found it. It was in
/var/tmp/.packlist.0928456/ and it was showing up as "[psybnc]" (wasn't
there before). A kill -9 got rid of it.

I'm now grepping to try to find out what may have created that or
launched it.



GnuPG Public Key:

Internet Radio:
Party107 (Trance/Electronic) -
Rock 101.9 The Edge (Rock) -

MIXXnet IRC Network - (Nick: MIXX941)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
Url :

More information about the freebsd-questions mailing list