server was hacked
Im running FBSD 5.4 as a web server the server is behind a cisco firewall /router and the server has alot of CMS jumila / mambo sites on it. I noticed that when i ran sockstat i was seeing multiple IPs connected to high ports on the server with a process id of psybnc . Did some looking around found that this is a IRC relay program that was installed through a compromised mambo site. after getting rid of the program I changed our router to disallow this type of traffic.. started trying to fix the box. Im pretty sure that root wasnt compromised but im going to re-install anyway. my question has anyone run into this problem with CMS sites, HOw excatly are they getting in ? what are the things I can do to prevent this. On FBSD how do you checksum binaries on the system to ensure someone hasnt replaced one with there own binary. thank you...and all help is greatly appreciated -- Brent ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: server was hacked
Am Samstag 11 August 2007 13:20:31 schrieb Brent: Im running FBSD 5.4 as a web server the server is behind a cisco firewall /router and the server has alot of CMS jumila / mambo sites on it. I noticed that when i ran sockstat i was seeing multiple IPs connected to high ports on the server with a process id of psybnc . Did some looking around found that this is a IRC relay program that was installed through a compromised mambo site. That was a know Mambo vulnerability which also hit a client of ours. It's not a root compromise, though, AFAIR. On FBSD how do you checksum binaries on the system to ensure someone hasnt replaced one with there own binary. Install security/tripwire and configure properly. -- Heiko Wundram Product Application Development ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: server was hacked
hi, how to restore delated file or folder in linux Take care Mohd.Ghalib Akhtar (India.M)9899868681 (Africa.M) +255787896861 - Original Message From: Heiko Wundram (Beenic) [EMAIL PROTECTED] To: freebsd-questions@freebsd.org Sent: Saturday, August 11, 2007 2:54:29 PM Subject: Re: server was hacked Am Samstag 11 August 2007 13:20:31 schrieb Brent: Im running FBSD 5.4 as a web server the server is behind a cisco firewall /router and the server has alot of CMS jumila / mambo sites on it. I noticed that when i ran sockstat i was seeing multiple IPs connected to high ports on the server with a process id of psybnc . Did some looking around found that this is a IRC relay program that was installed through a compromised mambo site. That was a know Mambo vulnerability which also hit a client of ours. It's not a root compromise, though, AFAIR. On FBSD how do you checksum binaries on the system to ensure someone hasnt replaced one with there own binary. Install security/tripwire and configure properly. -- Heiko Wundram Product Application Development ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Luggage? GPS? Comic books? Check out fitting gifts for grads at Yahoo! Search http://search.yahoo.com/search?fr=oni_on_mailp=graduation+giftscs=bz ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: server was hacked
Brent wrote: , HOw excatly are they getting in ? what are the things I can do to prevent this. On FBSD how do you checksum binaries on the system to ensure someone hasnt replaced one with there own binary. Do yourself a favor and buy the book BSD Hacks by Dru Lavigne O'Reilly Media ISBN 0-596-00679-9 Chapter 6 and especially hacks 56,58 and 59 are useful. Regards Frank ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: server was hacked
On Sat, 11 Aug 2007 13:54:29 +0200 Heiko Wundram (Beenic) [EMAIL PROTECTED] wrote: On FBSD how do you checksum binaries on the system to ensure someone hasnt replaced one with there own binary. Install security/tripwire and configure properly. Note that tripwire isn't the only option. There's also Aide and Samhain. -- Bill Moran Potential Technologies http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: server was hacked
On Sat, Aug 11, 2007 at 07:20:31AM -0400, Brent wrote: a compromised mambo site. after getting rid of the program I changed our router to disallow this type of traffic.. started trying to fix the box. Im pretty sure that root wasnt compromised but im going to re-install anyway. my question has anyone run into this problem with CMS sites, HOw excatly are they getting in ? Lots of CMS have long histories of vulnerabilities. Check out www.securityfocus.com e.g. http://search.securityfocus.com/swsearch?query=mambosbm=bidsubmit=Search%21metaname=alldocsort=swishrank for some details. Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: server was hacked
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brent Sent: August 11, 2007 7:21 AM To: [EMAIL PROTECTED] Subject: server was hacked Im running FBSD 5.4 as a web server the server is behind a cisco firewall /router and the server has alot of CMS jumila / mambo sites on it. I noticed that when i ran sockstat i was seeing multiple IPs connected to high ports on the server with a process id of psybnc . Did some looking around found that this is a IRC relay program that was installed through a compromised mambo site. after getting rid of the program I changed our router to disallow this type of traffic.. started trying to fix the box. Im pretty sure that root wasnt compromised but im going to re-install anyway. my question has anyone run into this problem with CMS sites, HOw excatly are they getting in ? what are the things I can do to prevent this. On FBSD how do you checksum binaries on the system to ensure someone hasnt replaced one with there own binary. thank you...and all help is greatly appreciated -- Brent Just an advise in the future if you're running Apache, use mod_security to protect you from similar hackings (need to update the rules every now and then to stay on top of things): http://www.modsecurity.org/ you'll also find sample rules at: www.gotroot.com Tamouh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]