> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Brent > Sent: August 11, 2007 7:21 AM > To: [EMAIL PROTECTED] > Subject: server was hacked > > Im running FBSD 5.4 as a web server the server is behind a > cisco firewall /router and the server has alot of CMS jumila > / mambo sites on it. I noticed that when i ran sockstat i was > seeing multiple IPs connected to high ports on the server > with a process id of "psybnc" . Did some looking around & > found that this is a IRC relay program that was installed > through a compromised mambo site. after getting rid of the > program I changed our router to disallow this type of > traffic..& started trying to fix the box. Im pretty sure that > root wasnt compromised but im going to re-install anyway. my > question has anyone run into this problem with CMS sites, HOw > excatly are they getting in ? > what are the things I can do to prevent this. On FBSD how do > you checksum binaries on the system to ensure someone hasnt > replaced one with there own binary. > > thank you...and & all help is greatly appreciated > > > -- > Brent >
Just an advise in the future if you're running Apache, use mod_security to protect you from similar hackings (need to update the rules every now and then to stay on top of things): http://www.modsecurity.org/ you'll also find sample rules at: www.gotroot.com Tamouh _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"