After I stopped being lazy ( my sincere apologies) and a little backtracking I realized I had been seriously compromised.
A cronjob had been installed in /var/tmp/httpd.cron This contained the following disturbing files : drwxr-xr-x 3 www wheel 512B Jun 23 23:30 ../ -rw-r--r-- 1 www wheel 327M Jun 22 09:46 my.summer.of.love.2005.italian.md.ts.xvid-mcf.avi drwxr-xr-x 4 www wheel 1.0K Jun 22 06:31 ./ -rw-r--r-- 1 www wheel 482M Jun 21 22:39 My.SuMMer.Of.LoVe.2005.iTaLiaN.MD.TS.XviD-MCF.avi -rw-r--r-- 1 www wheel 1.1K Jun 21 07:08 Infodll.state -rw-r--r-- 1 www wheel 1.1K Jun 21 07:05 Infodll.state~ -rw-r--r-- 1 www wheel 0B Jun 19 16:54 PROFONDO_BLU_.avi -rw-r--r-- 1 www wheel 6.0K Jun 16 01:05 README.txt -rw-r--r-- 1 www wheel 1.5K Jun 12 21:46 httpd.cron -rwxr-xr-x 1 www wheel 207K Jun 10 18:52 stat* drwxr-xr-x 2 www wheel 512B Jun 10 18:52 obj/ -rwxr-xr-x 1 www wheel 59.8K Jun 10 18:51 convertxdccfile* -rw-r--r-- 1 www wheel 4.2K Jun 10 18:51 Makefile drwxr-xr-x 2 www wheel 512B Jun 10 18:51 src/ -r--r--r-- 1 www wheel 22.6K Jan 17 00:17 sample.config -r--r--r-- 1 www wheel 15.6K Jan 17 00:17 COPYING -r--r--r-- 1 www wheel 23.0K Jan 17 00:17 WHATSNEW -r--r--r-- 1 www wheel 4.0K Jan 17 00:17 Makefile.config -r-xr-xr-x 1 www wheel 28.5K Jan 17 00:17 Configure* -r-xr-xr-x 1 www wheel 857B Jan 17 00:17 iroffer.cron* -r-xr-xr-x 1 www wheel 942B Jan 17 00:17 dynip.sh* -r--r--r-- 1 www wheel 5.0K Jan 17 00:17 README -rw-r--r-- 1 www wheel 15B Jan 17 00:17 .cset_number Iroffer had been installed http://iroffer.org/ The cronjob did the following : more httpd.cron ################### Logging ################# #pidfile Infodll.pid #logfile Infodll.log logstats no logrotate weekly statefile Infodll.state ########################################### #################### Connessione ############# connectionmethod direct server 66.225.223.54 6666 server 66.225.223.54 6669 server 66.225.223.54 6667 channel #Eternity -key otis channel #Eternity.staff -key otis user_realname ETE user_modes +ix loginname ETE tcprangestart 4000 #usenatip 195.41.47.74 ########################################### #################### Slot e Code ############## slotsmax 15 queuesize 25 nickserv_pass beatat maxtransfersperperson 1 maxqueueditemsperperson 1 restrictlist yes restrictsend yes #restrictprivlist yes ############################################ ##################### Headline ################ creditline ^C14\ \^C15^B Staff f0r #Eternity ^C14\\^B^C headline ^C14\ \^C15^B Staff f0r #Eternity ^C14\\^B^C ############################################ ############# Adminhost e download ############### adminhost [EMAIL PROTECTED] adminhost [EMAIL PROTECTED] adminhost [EMAIL PROTECTED] uploadhost [EMAIL PROTECTED] downloadhost [EMAIL PROTECTED] downloadhost [EMAIL PROTECTED] #firewall yes hideos yes ############################################# ################ QUI VA ADMINPASS ############## adminpass pYiNmgVwHKZHE ############################################## ####### RUNTIME ADDED ####### filedir /var/tmp/cron/httpd uploaddir /var/tmp/cron/httpd user_nick ETE|DivX-01 Using dynip to advertise my box . Aaaargh ! Thanks for the help anyway. Regards, Ruben -----Original Message----- From: Chuck Swiger [mailto:[EMAIL PROTECTED] Sent: June 23, 2005 7:26 PM To: [EMAIL PROTECTED] Cc: FreeBSD-questions@FreeBSD.org Subject: Re: stat running as www weirdness - genarting INCOMING traffic Ruben Bloemgarten wrote: > I’m seeing weirdness of stat opening up port 4000+ and generating/receiving > enormous amounts of incoming traffic i.e. 400Gb over a 24hour time > period.Does this sound familiar to anyone ? Thanks for any brain usage not > my own. Insufficient data. From which port(s) to which port(s), and are the IP addresses on the other side the same or a random range (which would imply your machine has been hacked and is scanning outwards). Showing a tcpdump of a few example connections would be really useful. -- -Chuck -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.7.11/26 - Release Date: 06/22/2005 -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.7.11/26 - Release Date: 06/22/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.7.11/26 - Release Date: 06/22/2005 _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"