server was hacked
Heiko Wundram (Beenic)
wundram at beenic.net
Sat Aug 11 04:54:31 PDT 2007
Am Samstag 11 August 2007 13:20:31 schrieb Brent:
> Im running FBSD 5.4 as a web server the server is behind a cisco firewall
> /router and the server has alot of CMS jumila / mambo sites on it. I
> noticed that when i ran sockstat i was seeing multiple IPs connected to
> high ports on the server with a process id of "psybnc" . Did some looking
> around & found that this is a IRC relay program that was installed through
> a compromised mambo site.
That was a know Mambo vulnerability which also hit a client of ours. It's not
a root compromise, though, AFAIR.
> On FBSD how do you checksum binaries on the system to ensure someone hasnt
> replaced one with there own binary.
Install security/tripwire and configure properly.
--
Heiko Wundram
Product & Application Development
More information about the freebsd-questions
mailing list