subject:"server was hacked"

server was hacked

2007-08-11 Thread Brent

Im running FBSD 5.4 as a web server the server is behind a cisco firewall
/router and the server has alot of CMS jumila / mambo sites on it. I noticed
that when i ran sockstat i was seeing multiple IPs connected to high ports on
the server with a process id of psybnc . Did some looking around  found
that this is a IRC relay program that was installed through a compromised
mambo site. after getting rid of the program I changed our router to disallow
this type of traffic.. started trying to fix the box. Im pretty sure that
root wasnt compromised but im going to re-install anyway. my question has
anyone run into this problem with CMS sites, HOw excatly are they getting in ?
what are the things I can do to prevent this. On FBSD how do you checksum
binaries on the system to ensure someone hasnt replaced one with there own 
binary.

thank you...and  all help is greatly appreciated


--
Brent 

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: server was hacked

2007-08-11 Thread Heiko Wundram (Beenic)

Am Samstag 11 August 2007 13:20:31 schrieb Brent:
 Im running FBSD 5.4 as a web server the server is behind a cisco firewall
 /router and the server has alot of CMS jumila / mambo sites on it. I
 noticed that when i ran sockstat i was seeing multiple IPs connected to
 high ports on the server with a process id of psybnc . Did some looking
 around  found that this is a IRC relay program that was installed through
 a compromised mambo site.

That was a know Mambo vulnerability which also hit a client of ours. It's not 
a root compromise, though, AFAIR.

 On FBSD how do you checksum binaries on the system to ensure someone hasnt
 replaced one with there own binary.

Install security/tripwire and configure properly.

-- 
Heiko Wundram
Product  Application Development
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: server was hacked

2007-08-11 Thread Mohd Ghalib Akhtar

hi,
how to restore delated file or folder in linux
 
Take care
Mohd.Ghalib Akhtar
(India.M)9899868681
(Africa.M) +255787896861 










- Original Message 
From: Heiko Wundram (Beenic) [EMAIL PROTECTED]
To: freebsd-questions@freebsd.org
Sent: Saturday, August 11, 2007 2:54:29 PM
Subject: Re: server was hacked


Am Samstag 11 August 2007 13:20:31 schrieb Brent:
 Im running FBSD 5.4 as a web server the server is behind a cisco firewall
 /router and the server has alot of CMS jumila / mambo sites on it. I
 noticed that when i ran sockstat i was seeing multiple IPs connected to
 high ports on the server with a process id of psybnc . Did some looking
 around  found that this is a IRC relay program that was installed through
 a compromised mambo site.

That was a know Mambo vulnerability which also hit a client of ours. It's not 
a root compromise, though, AFAIR.

 On FBSD how do you checksum binaries on the system to ensure someone hasnt
 replaced one with there own binary.

Install security/tripwire and configure properly.

-- 
Heiko Wundram
Product  Application Development
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


  

Luggage? GPS? Comic books? 
Check out fitting gifts for grads at Yahoo! Search
http://search.yahoo.com/search?fr=oni_on_mailp=graduation+giftscs=bz
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: server was hacked

2007-08-11 Thread Frank Wissmann


Brent wrote:

, HOw excatly are they getting in ?
what are the things I can do to prevent this. On FBSD how do you checksum
binaries on the system to ensure someone hasnt replaced one with there own 
binary.


Do yourself a favor and buy the book

BSD Hacks
by
Dru Lavigne
O'Reilly Media
ISBN 0-596-00679-9

Chapter 6 and especially hacks 56,58 and 59 are useful.

Regards
Frank


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: server was hacked

2007-08-11 Thread Bill Moran

On Sat, 11 Aug 2007 13:54:29 +0200
Heiko Wundram (Beenic) [EMAIL PROTECTED] wrote:
 
  On FBSD how do you checksum binaries on the system to ensure someone hasnt
  replaced one with there own binary.
 
 Install security/tripwire and configure properly.

Note that tripwire isn't the only option.  There's also Aide and Samhain.

-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: server was hacked

2007-08-11 Thread Erik Osterholm

On Sat, Aug 11, 2007 at 07:20:31AM -0400, Brent wrote:
 a compromised mambo site. after getting rid of the program I changed
 our router to disallow this type of traffic.. started trying to fix
 the box. Im pretty sure that root wasnt compromised but im going to
 re-install anyway. my question has anyone run into this problem with
 CMS sites, HOw excatly are they getting in ?

Lots of CMS have long histories of vulnerabilities.  Check out
www.securityfocus.com e.g.
http://search.securityfocus.com/swsearch?query=mambosbm=bidsubmit=Search%21metaname=alldocsort=swishrank
for some details.


Erik
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

RE: server was hacked

2007-08-11 Thread Tamouh H.

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Brent
 Sent: August 11, 2007 7:21 AM
 To: [EMAIL PROTECTED]
 Subject: server was hacked

 Im running FBSD 5.4 as a web server the server is behind a 
 cisco firewall /router and the server has alot of CMS jumila 
 / mambo sites on it. I noticed that when i ran sockstat i was 
 seeing multiple IPs connected to high ports on the server 
 with a process id of psybnc . Did some looking around  
 found that this is a IRC relay program that was installed 
 through a compromised mambo site. after getting rid of the 
 program I changed our router to disallow this type of 
 traffic.. started trying to fix the box. Im pretty sure that 
 root wasnt compromised but im going to re-install anyway. my 
 question has anyone run into this problem with CMS sites, HOw 
 excatly are they getting in ?
 what are the things I can do to prevent this. On FBSD how do 
 you checksum binaries on the system to ensure someone hasnt 
 replaced one with there own binary.

 thank you...and  all help is greatly appreciated

 --
 Brent 

Just an advise in the future if you're running Apache, use mod_security to 
protect you from similar hackings (need to update the rules every now and then 
to stay on top of things):

http://www.modsecurity.org/ you'll also find sample rules at: www.gotroot.com

Tamouh

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

server was hacked

Re: server was hacked

Re: server was hacked

Re: server was hacked

Re: server was hacked

Re: server was hacked

RE: server was hacked

7 matches

Site Navigation

Mail list logo

Footer information