what www perl script is running?
Paul Schmehl
pschmehl_lists at tx.rr.com
Tue Aug 25 14:54:39 UTC 2009
--On Tuesday, August 25, 2009 05:46:43 -0500 Colin Brace <cb at lim.nl> wrote:
>
>
>
> Olivier Nicole wrote:
>>
>>> Am I correct in assuming that my system has been hacked and I am running
>>> an
>>> IRC server or something?
>>
>> IRC client at least. And yes, I would think that your system has been
>> compromised.
>>
>
> Thanks Olivier.
>
> I am currently killing the process with the following bash command while I
> decide what to do next:
>
> $ while x=1 ; do sudo killall -9 perl5.8.9 && echo "killed..." ; sleep 15;
> done
>
> I suppose this calls for a "bare-metal" reinstall.
>
> Is it worth first trying to determine how my system was broken into?
>
Only you can answer that question. How badly do you need to get the server
back up and running? If it's not critical, it would be worth taking the time
to investigate. Otherwise you'll set it back up the same way and be hacked
again in the same way. If you know someone who is good at forensics on Unix
boxes, call them.
--
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
More information about the freebsd-questions
mailing list