it?
Thanks
-
Colin Brace
Amsterdam
http://lim.nl
--
View this message in context:
http://www.nabble.com/what-www-perl-script-is-running--tp25112050p25167487.html
Sent from the freebsd-questions mailing list archive at Nabble.com.
___
freebsd
://lim.nl
--
View this message in context:
http://www.nabble.com/what-www-perl-script-is-running--tp25112050p25167487.html
Sent from the freebsd-questions mailing list archive at Nabble.com.
___
freebsd-questions@freebsd.org mailing list
http
Steve Bertrand said the following on 08/26/2009 01:33 AM:
In this case, OP, look for:
- directories named as such:
-- ...
-- . ..
-- . .
-- etc, particularly under:
-- /var/tmp
-- /tmp
-- or anywhere else the [gu]id of the webserver could possibly write to
Thanks for the comments, Steve.
://silenceisdefeat.com/~cbrace/www_badstuff-2.gz
-
Colin Brace
Amsterdam
http://lim.nl
--
View this message in context:
http://www.nabble.com/what-www-perl-script-is-running--tp25112050p25149271.html
Sent from the freebsd-questions mailing list archive at Nabble.com
/~cbrace/www_badstuff-3.gz
Sorry about the multiple tarballs.
-
Colin Brace
Amsterdam
http://lim.nl
--
View this message in context:
http://www.nabble.com/what-www-perl-script-is-running--tp25112050p25149559.html
Sent from the freebsd-questions mailing list archive at Nabble.com
Adam Vande More amvandem...@gmail.com wrote:
On Tue, Aug 25, 2009 at 2:43 PM, Bill Moran wmo...@potentialtech.comwrote:
In response to Adam Vande More amvandem...@gmail.com:
On Tue, Aug 25, 2009 at 12:06 PM, Bill Moran wmo...@potentialtech.com
wrote:
In response to Adam Vande
In response to Adam Vande More amvandem...@gmail.com:
On Wed, Aug 26, 2009 at 7:11 AM, Bill Moran wmo...@potentialtech.comwrote:
Adam Vande More amvandem...@gmail.com wrote:
On Tue, Aug 25, 2009 at 2:43 PM, Bill Moran wmo...@potentialtech.com
wrote:
In response to Adam Vande
On Wed, Aug 26, 2009 at 7:11 AM, Bill Moran wmo...@potentialtech.comwrote:
Adam Vande More amvandem...@gmail.com wrote:
On Tue, Aug 25, 2009 at 2:43 PM, Bill Moran wmo...@potentialtech.com
wrote:
In response to Adam Vande More amvandem...@gmail.com:
On Tue, Aug 25, 2009 at 12:06
Jonathan McKeown wrote:
On Wednesday 26 August 2009 15:44:41 Adam Vande More wrote:
[450 lines including multiple signatures and twelve levels of quoting, all to
say:]
Specifically what am I confused on? Or are you just going to continue
with the personal attacks? You've offered no
On Wed, Aug 26, 2009 at 8:30 AM, Bill Moran wmo...@potentialtech.comwrote:
In response to Adam Vande More amvandem...@gmail.com:
On Wed, Aug 26, 2009 at 7:11 AM, Bill Moran wmo...@potentialtech.com
wrote:
Adam Vande More amvandem...@gmail.com wrote:
On Tue, Aug 25, 2009 at 2:43
On Wednesday 26 August 2009 15:44:41 Adam Vande More wrote:
[450 lines including multiple signatures and twelve levels of quoting, all to
say:]
Specifically what am I confused on? Or are you just going to continue
with the personal attacks? You've offered no technical rebuttal, simply
24 hour since rebooting, this perl instance is still crunching away...
-
Colin Brace
Amsterdam
http://lim.nl
--
View this message in context:
http://www.nabble.com/what-www-perl-script-is-running--tp25112050p25130058.html
Sent from the freebsd-questions mailing list archive
On Tue, Aug 25, 2009 at 01:00:53AM -0700, Colin Brace wrote:
Ok, here is what lsof tells me:
$ sudo lsof | grep perl
perl5.8.9 4272 www3uIPv4 0xc33cf0000t0 TCP
gw:51295-94.102.51.57:afs3-fileserver (ESTABLISHED)
The last line would be appear to telling me
On Tue, Aug 25, 2009 at 10:19:37AM +0100, Mike Bristow typed:
On Tue, Aug 25, 2009 at 01:00:53AM -0700, Colin Brace wrote:
Ok, here is what lsof tells me:
$ sudo lsof | grep perl
perl5.8.9 4272 www3uIPv4 0xc33cf0000t0 TCP
gw:51295-94.102.51.57:afs3-fileserver
--
View this message in context:
http://www.nabble.com/what-www-perl-script-is-running--tp25112050p25131646.html
Sent from the freebsd-questions mailing list archive at Nabble.com.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org
Hi Colin,
Am I correct in assuming that my system has been hacked and I am running an
IRC server or something?
IRC client at least. And yes, I would think that your system has been
compromised.
Good luck,
Olivier
___
freebsd-questions@freebsd.org
this message in context:
http://www.nabble.com/what-www-perl-script-is-running--tp25112050p25132123.html
Sent from the freebsd-questions mailing list archive at Nabble.com.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman
Colin,
I suppose this calls for a bare-metal reinstall.
Is it worth first trying to determine how my system was broken into?
It really depends on:
- what is installed on that machine (how long it would take to
reinstall, how many softwares, ports, specially configured stuff).
- how
In response to Colin Brace c...@lim.nl:
Olivier Nicole wrote:
Am I correct in assuming that my system has been hacked and I am running
an
IRC server or something?
IRC client at least. And yes, I would think that your system has been
compromised.
Thanks Olivier.
I am
looking for the breach would be most
welcome; I am quite new to this game.
Thanks.
-
Colin Brace
Amsterdam
http://lim.nl
--
View this message in context:
http://www.nabble.com/what-www-perl-script-is-running--tp25112050p25134056.html
Sent from the freebsd-questions mailing list archive
is allowed in unless explicitly allowed
Everything allowed out.
(plus some ipv6 stuff I was testing with a tunnel)
Merci
-
Colin Brace
Amsterdam
http://lim.nl
--
View this message in context:
http://www.nabble.com/what-www-perl-script-is-running--tp25112050p25134277.html
Sent from
On Tue, Aug 25, 2009 at 06:16:49AM -0700, Colin Brace typed:
Bill Moran wrote:
You can add an ipfw rule to prevent the script from calling home, which
will effectively render it neutered until you can track down and actually
_fix_ the problem.
In reality, good security practice
On Tue, Aug 25, 2009 at 06:30:17AM -0700, Colin Brace typed:
Bill, one more thing:
Bill Moran wrote:
You can add an ipfw rule to prevent the script from calling home, which
will effectively render it neutered until you can track down and actually
_fix_ the problem.
Mike Bristow
--On Tuesday, August 25, 2009 07:26:04 -0500 Bill Moran
wmo...@potentialtech.com wrote:
I am currently killing the process with the following bash command while I
decide what to do next:
$ while x=1 ; do sudo killall -9 perl5.8.9 echo killed... ; sleep 15;
done
You can add an ipfw rule to
, it just
seemed more convenient and flexible.
-
Colin Brace
Amsterdam
http://lim.nl
--
View this message in context:
http://www.nabble.com/what-www-perl-script-is-running--tp25112050p25135684.html
Sent from the freebsd-questions mailing list archive at Nabble.com
--On Tuesday, August 25, 2009 04:41:33 -0500 Ruben de Groot mai...@bzerk.org
wrote:
On Tue, Aug 25, 2009 at 10:19:37AM +0100, Mike Bristow typed:
On Tue, Aug 25, 2009 at 01:00:53AM -0700, Colin Brace wrote:
Ok, here is what lsof tells me:
$ sudo lsof | grep perl
perl5.8.9 4272 www
://www.nabble.com/what-www-perl-script-is-running--tp25112050p25135959.html
Sent from the freebsd-questions mailing list archive at Nabble.com.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
--On Tuesday, August 25, 2009 05:46:43 -0500 Colin Brace c...@lim.nl wrote:
Olivier Nicole wrote:
Am I correct in assuming that my system has been hacked and I am running
an
IRC server or something?
IRC client at least. And yes, I would think that your system has been
compromised.
--On Tuesday, August 25, 2009 08:30:17 -0500 Colin Brace c...@lim.nl wrote:
Bill, one more thing:
Bill Moran wrote:
You can add an ipfw rule to prevent the script from calling home, which
will effectively render it neutered until you can track down and actually
_fix_ the problem.
Mike
In response to Paul Schmehl pschmehl_li...@tx.rr.com:
--On Tuesday, August 25, 2009 07:26:04 -0500 Bill Moran
wmo...@potentialtech.com wrote:
I am currently killing the process with the following bash command while I
decide what to do next:
$ while x=1 ; do sudo killall -9 perl5.8.9
In response to Paul Schmehl pschmehl_li...@tx.rr.com:
--On Tuesday, August 25, 2009 08:30:17 -0500 Colin Brace c...@lim.nl wrote:
Bill Moran wrote:
You can add an ipfw rule to prevent the script from calling home, which
will effectively render it neutered until you can track down and
On Tue, Aug 25, 2009 at 11:05 AM, Bill Moran wmo...@potentialtech.comwrote:
In response to Paul Schmehl pschmehl_li...@tx.rr.com:
--On Tuesday, August 25, 2009 08:30:17 -0500 Colin Brace c...@lim.nl
wrote:
Bill Moran wrote:
You can add an ipfw rule to prevent the script from
In response to Adam Vande More amvandem...@gmail.com:
On Tue, Aug 25, 2009 at 11:05 AM, Bill Moran wmo...@potentialtech.comwrote:
In response to Paul Schmehl pschmehl_li...@tx.rr.com:
--On Tuesday, August 25, 2009 08:30:17 -0500 Colin Brace c...@lim.nl
wrote:
Bill Moran wrote:
Colin Brace wrote:
Ruben de Groot wrote:
Try a find through the entire filesystem for files owned by this user that
you can't account for. Also check your cron and at files under /var/cron
and
/var/at
I found the cronjob which keeps restarting the script:
[r...@venus
On Tue, Aug 25, 2009 at 12:06 PM, Bill Moran wmo...@potentialtech.comwrote:
In response to Adam Vande More amvandem...@gmail.com:
On Tue, Aug 25, 2009 at 11:05 AM, Bill Moran wmo...@potentialtech.com
wrote:
In response to Paul Schmehl pschmehl_li...@tx.rr.com:
--On Tuesday,
In response to Adam Vande More amvandem...@gmail.com:
On Tue, Aug 25, 2009 at 12:06 PM, Bill Moran wmo...@potentialtech.comwrote:
In response to Adam Vande More amvandem...@gmail.com:
On Tue, Aug 25, 2009 at 11:05 AM, Bill Moran wmo...@potentialtech.com
wrote:
In response to
On Tue, Aug 25, 2009 at 2:43 PM, Bill Moran wmo...@potentialtech.comwrote:
In response to Adam Vande More amvandem...@gmail.com:
On Tue, Aug 25, 2009 at 12:06 PM, Bill Moran wmo...@potentialtech.com
wrote:
In response to Adam Vande More amvandem...@gmail.com:
On Tue, Aug 25, 2009
-www-perl-script-is-running--tp25112050p25143778.html
Sent from the freebsd-questions mailing list archive at Nabble.com.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any
Adam Vande More wrote:
[ huge, huge snip ]
You said block by destination port. What you presented is not this,
although it gives give a functional environment of it. Sorry for the
pedantic pursuit here, but IMO terminology is important here.
I've read this thread on a 'best-effort' basis
Colin,
Be aware that what you listed below is what additional scripts the
hacker installed on your server after he broke in.
This does not tell you hwo the hacker broke in. So your server is
still subject to compromission.
Bests,
olivier
Try a find through the entire filesystem for files
Hi all,
I noticed this morning that a perl script was using a lot of CPU time on
my FreeBSD webserver. By the time I killed it, it had run up 400 mins of
system time according to top.
However, simply killing 'perl5.8.9' didn't accomplish much, it was back
running again moments later. I then
Is there a command like fuser or lsof which can be used to determine
what files this perl instance is using? Any other ideas on how to figure
out what is going on here?
lsof is in the ports.
best regards,
Olivier
___
freebsd-questions@freebsd.org
On Monday 24 August 2009 10:07:50 Olivier Nicole wrote:
Is there a command like fuser or lsof which can be used to determine
what files this perl instance is using? Any other ideas on how to figure
out what is going on here?
lsof is in the ports.
and fstat(1) is in the core.
43 matches
Mail list logo