Re: psybnc and IRC hack

From: Patrick Fish (patrick@pwhsnet.com)
Date: 12/03/02 

Date: Mon, 02 Dec 2002 20:59:41 -0800
From: Patrick Fish <patrick@pwhsnet.com>
To: neallist@wispair.net, stabilizer@klentaq.com

> This doesn't belong on freebsd-security.
>
> Read this first:
>
> http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/security.html
>
> If you're still confused get on an Undernet IRC server, go to
#freebsdhelp, and
> ask for assistance. Its best to show between 18:00 and 24:00 EST from my
> experience. There are probably other places you could check, this one I
frequent
> and I know they'll help new people.

If you have no luck there, try EFnet (same channel).

>
>
>
> Charles Swiger wrote:
>
> > [ This probably belongs on freebsd-security, instead... ]
> >
> > Wayne M Barnes wrote:
> > > How can I best recover from, and defend myself from, a hacker
> > > who breaks into my system and runs a program called psybnc
> > > without my permission? I think he is using my system as a
> > > front/slave.
> >
> > Yes. Unless you installed an IRC bouncer-- or whatever it was being
used for--
> > yourself, it's a safe bet that your machine was hacked. You haven't
identified
> > much about the system-- OS version, what service was compromised (if you
know,
> > and you should investigate that), as well as form an incident timeline.
> >
> > The best way to recover is to backup the compromised system, for
recovery of
> > your data and later forensics if you (or your ISP) chooses to
investigate
> > further.
> >
> > Reinstall the latest version of FreeBSD from a known-good image,
possibly using
> > CVSUP to upgrade to -STABLE or the security branch for your version
> > (RELENG_4_7?).
> >
> > Then restore your data (after making sure nothing was compromised...that
means
> > do not copy date, especially executables without checking them against
prior
> > backups).
> >
> > > For now, I have killed psybnc, deleted the directory of stuff
> > > that he put in, and changed my password. Is that any good?
> >
> > It's a good starting point, yes, but it certainly isn't sufficient.
> >
> > > Can there be a real vaccination built in to FreeBSD?
> >
> > Yes. It's easy to compare your system against the software from the OS
install
> > disk; where many people encounter problems is with the changes they've
made
> > afterwards themselves. How complete are your backups?
> >
> > -Chuck
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

pf

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message