omeone explain to me in basic terms how an
> intruder exploits a vulnerability such as apparently existed on my system
> (the RoundCube webmail package was apparently the culprit) to place the
> binary file "owned" in /tmp an
(the RoundCube webmail package was apparently the culprit) to place the
binary file "owned" in /tmp and execute it?
Thanks
-
Colin Brace
Amsterdam
http://lim.nl
--
View this message in context:
http://www.nabble.com/what-www-perl-script-is
Jonathan McKeown wrote:
> On Wednesday 26 August 2009 15:44:41 Adam Vande More wrote:
>
> [450 lines including multiple signatures and twelve levels of quoting, all to
> say:]
>
>> Specifically what am I confused on? Or are you just going to continue
>> with the personal attacks? You've offere
On Wednesday 26 August 2009 15:44:41 Adam Vande More wrote:
[450 lines including multiple signatures and twelve levels of quoting, all to
say:]
> Specifically what am I confused on? Or are you just going to continue
> with the personal attacks? You've offered no technical rebuttal, simply
> in
On Wed, Aug 26, 2009 at 8:30 AM, Bill Moran wrote:
> In response to Adam Vande More :
>
> > On Wed, Aug 26, 2009 at 7:11 AM, Bill Moran >wrote:
> >
> > > Adam Vande More wrote:
> > > >
> > > > On Tue, Aug 25, 2009 at 2:43 PM, Bill Moran <
> wmo...@potentialtech.com
> > > >wrote:
> > > >
> > > >
In response to Adam Vande More :
> On Wed, Aug 26, 2009 at 7:11 AM, Bill Moran wrote:
>
> > Adam Vande More wrote:
> > >
> > > On Tue, Aug 25, 2009 at 2:43 PM, Bill Moran > >wrote:
> > >
> > > > In response to Adam Vande More :
> > > >
> > > > > On Tue, Aug 25, 2009 at 12:06 PM, Bill Moran <
>
On Wed, Aug 26, 2009 at 7:11 AM, Bill Moran wrote:
> Adam Vande More wrote:
> >
> > On Tue, Aug 25, 2009 at 2:43 PM, Bill Moran >wrote:
> >
> > > In response to Adam Vande More :
> > >
> > > > On Tue, Aug 25, 2009 at 12:06 PM, Bill Moran <
> wmo...@potentialtech.com
> > > >wrote:
> > > >
> > > >
Adam Vande More wrote:
>
> On Tue, Aug 25, 2009 at 2:43 PM, Bill Moran wrote:
>
> > In response to Adam Vande More :
> >
> > > On Tue, Aug 25, 2009 at 12:06 PM, Bill Moran > >wrote:
> > >
> > > > In response to Adam Vande More :
> > > >
> > > > > On Tue, Aug 25, 2009 at 11:05 AM, Bill Moran <
>
ed
.bash/ Contents here:
http://silenceisdefeat.com/~cbrace/www_badstuff-3.gz
Sorry about the multiple tarballs.
-
Colin Brace
Amsterdam
http://lim.nl
--
View this message in context:
http://www.nabble.com/what-www-perl-script-is-running--tp25112050p25149559.html
Sent from the freebsd-que
y directory.
Oops, I missed six more files written by www to /tmp. Here they are:
http://silenceisdefeat.com/~cbrace/www_badstuff-2.gz
-
Colin Brace
Amsterdam
http://lim.nl
--
View this message in context:
http://www.nabble.com/what-www-perl-script-is-running--tp25112050
Steve Bertrand said the following on 08/26/2009 01:33 AM:
In this case, OP, look for:
- directories named as such:
-- ...
-- . ..
-- . .
-- etc, particularly under:
-- /var/tmp
-- /tmp
-- or anywhere else the [gu]id of the webserver could possibly write to
Thanks for the comments, Steve.
Colin,
Be aware that what you listed below is what additional scripts the
hacker installed on your server after he broke in.
This does not tell you hwo the hacker broke in. So your server is
still subject to compromission.
Bests,
olivier
>> Try a find through the entire filesystem for files ow
Adam Vande More wrote:
[ huge, huge snip ]
> You said block by destination port. What you presented is not this,
> although it gives give a functional environment of it. Sorry for the
> pedantic pursuit here, but IMO terminology is important here.
I've read this thread on a 'best-effort' basis
sage in context:
http://www.nabble.com/what-www-perl-script-is-running--tp25112050p25143778.html
Sent from the freebsd-questions mailing list archive at Nabble.com.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo
On Tue, Aug 25, 2009 at 2:43 PM, Bill Moran wrote:
> In response to Adam Vande More :
>
> > On Tue, Aug 25, 2009 at 12:06 PM, Bill Moran >wrote:
> >
> > > In response to Adam Vande More :
> > >
> > > > On Tue, Aug 25, 2009 at 11:05 AM, Bill Moran <
> wmo...@potentialtech.com
> > > >wrote:
> > > >
In response to Adam Vande More :
> On Tue, Aug 25, 2009 at 12:06 PM, Bill Moran wrote:
>
> > In response to Adam Vande More :
> >
> > > On Tue, Aug 25, 2009 at 11:05 AM, Bill Moran > >wrote:
> > >
> > > > In response to Paul Schmehl :
> > > >
> > > > > --On Tuesday, August 25, 2009 08:30:17 -050
On Tue, Aug 25, 2009 at 12:06 PM, Bill Moran wrote:
> In response to Adam Vande More :
>
> > On Tue, Aug 25, 2009 at 11:05 AM, Bill Moran >wrote:
> >
> > > In response to Paul Schmehl :
> > >
> > > > --On Tuesday, August 25, 2009 08:30:17 -0500 Colin Brace
> > > wrote:
> > > >
> > > > > Bill Mor
Colin Brace wrote:
>
> Ruben de Groot wrote:
>> Try a find through the entire filesystem for files owned by this user that
>> you can't account for. Also check your cron and at files under /var/cron
>> and
>> /var/at
>>
>
> I found the cronjob which keeps restarting the script:
>
> [r...@venus
In response to Adam Vande More :
> On Tue, Aug 25, 2009 at 11:05 AM, Bill Moran wrote:
>
> > In response to Paul Schmehl :
> >
> > > --On Tuesday, August 25, 2009 08:30:17 -0500 Colin Brace
> > wrote:
> > >
> > > > Bill Moran wrote:
> > > >>
> > > >> You can add an ipfw rule to prevent the scrip
On Tue, Aug 25, 2009 at 11:05 AM, Bill Moran wrote:
> In response to Paul Schmehl :
>
> > --On Tuesday, August 25, 2009 08:30:17 -0500 Colin Brace
> wrote:
> >
> > > Bill Moran wrote:
> > >>
> > >> You can add an ipfw rule to prevent the script from calling home,
> which
> > >> will effectively r
In response to Paul Schmehl :
> --On Tuesday, August 25, 2009 08:30:17 -0500 Colin Brace wrote:
>
> > Bill Moran wrote:
> >>
> >> You can add an ipfw rule to prevent the script from calling home, which
> >> will effectively render it neutered until you can track down and actually
> >> _fix_ the
In response to Paul Schmehl :
> --On Tuesday, August 25, 2009 07:26:04 -0500 Bill Moran
> wrote:
> >>
> >> I am currently killing the process with the following bash command while I
> >> decide what to do next:
> >>
> >> $ while x=1 ; do sudo killall -9 perl5.8.9 && echo "killed..." ; sleep 15;
--On Tuesday, August 25, 2009 08:30:17 -0500 Colin Brace wrote:
Bill, one more thing:
Bill Moran wrote:
You can add an ipfw rule to prevent the script from calling home, which
will effectively render it neutered until you can track down and actually
_fix_ the problem.
Mike Bristow above
--On Tuesday, August 25, 2009 05:46:43 -0500 Colin Brace wrote:
Olivier Nicole wrote:
Am I correct in assuming that my system has been hacked and I am running
an
IRC server or something?
IRC client at least. And yes, I would think that your system has been
compromised.
Thanks Olivier
ew this message in context:
http://www.nabble.com/what-www-perl-script-is-running--tp25112050p25135959.html
Sent from the freebsd-questions mailing list archive at Nabble.com.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mail
--On Tuesday, August 25, 2009 04:41:33 -0500 Ruben de Groot
wrote:
On Tue, Aug 25, 2009 at 10:19:37AM +0100, Mike Bristow typed:
On Tue, Aug 25, 2009 at 01:00:53AM -0700, Colin Brace wrote:
> Ok, here is what lsof tells me:
>
> $ sudo lsof | grep perl
> perl5.8.9 4272 www3uIPv4
r is a Bad Idea. However, when I set it up, it just
seemed more convenient and flexible.
-
Colin Brace
Amsterdam
http://lim.nl
--
View this message in context:
http://www.nabble.com/what-www-perl-script-is-running--tp25112050p25135684.html
Sent from the freebsd-quest
--On Tuesday, August 25, 2009 07:26:04 -0500 Bill Moran
wrote:
I am currently killing the process with the following bash command while I
decide what to do next:
$ while x=1 ; do sudo killall -9 perl5.8.9 && echo "killed..." ; sleep 15;
done
You can add an ipfw rule to prevent the script fr
On Tue, Aug 25, 2009 at 06:30:17AM -0700, Colin Brace typed:
>
> Bill, one more thing:
>
>
> Bill Moran wrote:
> >
> > You can add an ipfw rule to prevent the script from calling home, which
> > will effectively render it neutered until you can track down and actually
> > _fix_ the problem.
>
On Tue, Aug 25, 2009 at 06:16:49AM -0700, Colin Brace typed:
>
>
> Bill Moran wrote:
> >
> > You can add an ipfw rule to prevent the script from calling home, which
> > will effectively render it neutered until you can track down and actually
> > _fix_ the problem.
> >
> > In reality, good secu
hat is to say: nothing is allowed in unless explicitly allowed
Everything allowed out.
(plus some ipv6 stuff I was testing with a tunnel)
Merci
-
Colin Brace
Amsterdam
http://lim.nl
--
View this message in context:
http://www.nabble.com/what-www-perl-script-is-running--tp25112050p2
rough one of the above ports?
Any suggestions as to where to start looking for the breach would be most
welcome; I am quite new to this game.
Thanks.
-
Colin Brace
Amsterdam
http://lim.nl
--
View this message in context:
http://www.nabble.com/what-www-perl-script-is-running--tp25112050p2
In response to Colin Brace :
>
> Olivier Nicole wrote:
> >
> >> Am I correct in assuming that my system has been hacked and I am running
> >> an
> >> IRC server or something?
> >
> > IRC client at least. And yes, I would think that your system has been
> > compromised.
> >
>
> Thanks Olivier.
Colin,
> I suppose this calls for a "bare-metal" reinstall.
> Is it worth first trying to determine how my system was broken into?
It really depends on:
- what is installed on that machine (how long it would take to
reinstall, how many softwares, ports, specially configured stuff).
- how impo
m was broken into?
-
Colin Brace
Amsterdam
http://lim.nl
--
View this message in context:
http://www.nabble.com/what-www-perl-script-is-running--tp25112050p25132123.html
Sent from the freebsd-questions mailing list archive at Nabble.com.
__
Hi Colin,
> Am I correct in assuming that my system has been hacked and I am running an
> IRC server or something?
IRC client at least. And yes, I would think that your system has been
compromised.
Good luck,
Olivier
___
freebsd-questions@freebsd.org
rect in assuming that my system has been hacked and I am running an
IRC server or something?
Thanks.
-----
Colin Brace
Amsterdam
http://lim.nl
--
View this message in context:
http://www.nabble.com/what-www-perl-script-is-running--tp25112050p25131646.html
Sent from the freebsd-questions
On Tue, Aug 25, 2009 at 10:19:37AM +0100, Mike Bristow typed:
> On Tue, Aug 25, 2009 at 01:00:53AM -0700, Colin Brace wrote:
> > Ok, here is what lsof tells me:
> >
> > $ sudo lsof | grep perl
> > perl5.8.9 4272 www3uIPv4 0xc33cf0000t0 TCP
> > gw:51295->94.102.51.57:afs3-f
On Tue, Aug 25, 2009 at 01:00:53AM -0700, Colin Brace wrote:
> Ok, here is what lsof tells me:
>
> $ sudo lsof | grep perl
> perl5.8.9 4272 www3uIPv4 0xc33cf0000t0 TCP
> gw:51295->94.102.51.57:afs3-fileserver (ESTABLISHED)
>
> The last line would be appear to telling me s
ng, but what?
After 24 hour since rebooting, this perl instance is still crunching away...
-
Colin Brace
Amsterdam
http://lim.nl
--
View this message in context:
http://www.nabble.com/what-www-perl-script-is-running--tp25112050p25130058.html
Sent from the freebsd-questions mailing lis
On Monday 24 August 2009 10:07:50 Olivier Nicole wrote:
> > Is there a command like fuser or lsof which can be used to determine
> > what files this perl instance is using? Any other ideas on how to figure
> > out what is going on here?
>
> lsof is in the ports.
>
and fstat(1) is in the core.
> Is there a command like fuser or lsof which can be used to determine
> what files this perl instance is using? Any other ideas on how to figure
> out what is going on here?
lsof is in the ports.
best regards,
Olivier
___
freebsd-questions@freebsd.o
Hi all,
I noticed this morning that a perl script was using a lot of CPU time on
my FreeBSD webserver. By the time I killed it, it had run up 400 mins of
system time according to top.
However, simply killing 'perl5.8.9' didn't accomplish much, it was back
running again moments later. I then
43 matches
Mail list logo