On Tue, Aug 25, 2009 at 06:16:49AM -0700, Colin Brace typed: > > > Bill Moran wrote: > > > > You can add an ipfw rule to prevent the script from calling home, which > > will effectively render it neutered until you can track down and actually > > _fix_ the problem. > > > > In reality, good security practice says that you should have IPFW (or some > > other firewall) running and only allowing known good traffic right from > > the start, which might have protected you from this in the first place. > > > > Bill, > > I am surprised you would think I have no firewall. As long as I have had the > server (2 years), I have had PF installed and running, and I can tell you > exactly which incoming ports I have open to the net: > > tcp_services = "{ ssh smtp www https 4661 4662 52550 }"
But are you blocking any outgoing traffic? > wifi_tcp_services = "{ ftp ssh bootps whois domain www imap imaps ntp irc > https sunrpc dict nfs 2628 3689 4711 6667 6909 23398}" > > Should I entertain the possiblity that someone parked their car near my > house and hacked in through one of the above ports? That's certainly possibly. But not my first guess. > Any suggestions as to where to start looking for the breach would be most > welcome; I am quite new to this game. My guess (not much more than that) is that someone used a vulnerable web page, maybe some perl or php application that was exploitable. This because the rogue process was running as user "www". Try a find through the entire filesystem for files owned by this user that you can't account for. Also check your cron and at files under /var/cron and /var/at And try to find out what's starting the proces whith ps -alx, tracking the PPIDs. gooed hunting! _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"