what www perl script is running?
Paul Schmehl
pauls at utdallas.edu
Tue Aug 25 14:51:48 UTC 2009
--On Tuesday, August 25, 2009 04:41:33 -0500 Ruben de Groot <mail25 at bzerk.org>
wrote:
>
> On Tue, Aug 25, 2009 at 10:19:37AM +0100, Mike Bristow typed:
>> On Tue, Aug 25, 2009 at 01:00:53AM -0700, Colin Brace wrote:
>> > Ok, here is what lsof tells me:
>> >
>> > $ sudo lsof | grep perl
>> > perl5.8.9 4272 www 3u IPv4 0xc33cf000 0t0 TCP
>> > gw:51295->94.102.51.57:afs3-fileserver (ESTABLISHED)
>> >
>> > The last line would be appear to telling me something, but what?
>>
>> The script is talking to 94.102.51.57 on port 7000.
>
> At which port an IRC server is listening:
>
>> telnet 94.102.51.57 7000
> Trying 94.102.51.57...
> Connected to 94.102.51.57.
> Escape character is '^]'.
> :sampson.dangerz.biz NOTICE AUTH :*** Looking up your hostname...
> :sampson.dangerz.biz NOTICE AUTH :*** Couldn't resolve your hostname; using
> your IP address instead
>
And the IRC daemon is screaming "You have been hacked!"
You need to get someone who knows about server compromises to help you. Your
server has been compromised. If you don't take action now, it will only get
worse.
--
Paul Schmehl (pauls at utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
More information about the freebsd-questions
mailing list