Topic: IRC bouncer on SME 6.01

[dexter]

Hello!

I am using 6.01 in server mode behind Cisco 1701 with IOS... My SME was hacked yesterday (IRC bouncer was installed). When I reboot system, port 6667 stay closed for 5 min. After that is OPEN and working. Does anybody has any experience how can I solve this problem ???

Tx

[CharlieBrady]

I am using 6.01 in server mode behind Cisco 1701 with IOS... My SME was hacked yesterday (IRC bouncer was installed). When I reboot system, port 6667 stay closed for 5 min. After that is OPEN and working. Does anybody has any experience how can I solve this problem ???

Tx

CERT has comprehensive advice on recovery from a breakin.

http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

You don't mention whether you consider port 6667 staying closed for five minutes is the problem, or that it becomes open.

You shouldn't be reconnecting a cracked server to the Net until you are absolutely certain that it is in a "clean" state. You shouldn't be connecting an SME server in serveronly mode to the Net, and you probably shouldn't be running an IRC bouncer.

[paulmancan2]

If I'm not mistaken he means that one of the things that made him aware was that the intruder installed an IRC Bouncer on the SME box.

Do you have any indication of how the system was compromised?