--On Wednesday, November 16, 2005 20:29:55 -0500 Steve Bertrand <[EMAIL PROTECTED]> wrote:


I think we have a serious problem. One of our old server
running FreeBSD 4.9 have been compromised and is now
connected to an ircd server..
195.204.1.132.6667     ESTABLISHED

Ran into this recently. Please post the entire output from:

# top
# w
# last
# ps -aux
# uname -a

Just keep in mind that any or all of these could be hacked versions designed to hide everything the attacker is doing.

Once a box has been hacked, you can no longer trust any of the binaries unless you can verify their integrity with MD5 sums from the same binaries on a known good box.

Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to