Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: dexter on April 06, 2005, 09:50:34 PM

Title: IRC bouncer on SME 6.01
Post by: dexter on April 06, 2005, 09:50:34 PM

Hello!

I am using 6.01 in server mode behind Cisco 1701 with IOS... My SME was hacked yesterday (IRC bouncer was installed). When I reboot system, port 6667 stay closed for 5 min. After that is OPEN and working. Does anybody has any experience how can I solve this problem ???

Tx

Title: Re: IRC bouncer on SME 6.01
Post by: CharlieBrady on April 06, 2005, 10:23:20 PM

Quote from: "dexter"

I am using 6.01 in server mode behind Cisco 1701 with IOS... My SME was hacked yesterday (IRC bouncer was installed). When I reboot system, port 6667 stay closed for 5 min. After that is OPEN and working. Does anybody has any experience how can I solve this problem ???

Tx

CERT has comprehensive advice on recovery from a breakin.

http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

You don't mention whether you consider port 6667 staying closed for five minutes is the problem, or that it becomes open.

You shouldn't be reconnecting a cracked server to the Net until you are absolutely certain that it is in a "clean" state. You shouldn't be connecting an SME server in serveronly mode to the Net, and you probably shouldn't be running an IRC bouncer.

Title: IRC bouncer on SME 6.01
Post by: paulmancan2 on April 07, 2005, 03:08:41 AM

If I'm not mistaken he means that one of the things that made him aware was that the intruder installed an IRC Bouncer on the SME box.

Do you have any indication of how the system was compromised?