Date: Wed, 14 Nov 2001 00:13:21 +0700 From: Stefan Probst <stefan.probst@opticom.v-nam.net> To: freebsd-security@FreeBSD.ORG Cc: Rob Hurle <rob@coombs.anu.edu.au> Subject: Adore worm Message-ID: <5.1.0.14.2.20011114000437.02050a70@MailServer> In-Reply-To: <20011113170655.A9FE737B416@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Good Evening,
sorry for newbie-posting, but I don't have too much time to sift through
archives....
Looks like my FreeBSD 4.2 Box (FreeBSD 4.2-RELEASE (GENERIC)) got hit by a
worm - or infested by purpose:
I found a new directory /usr/lib/.fx/
which contains all kind of stuff.
One README file says:
>%cat README
> AdoreBSD 0.34 - Based off Linux Adore by Stealth
> Copyright (c) 2001 bind@gravitino.net
>
>Developed on FreeBSD 4.3-STABLE
>
>Installation:
> # make; make load
>
>Features:
> * hide file or directory from view
> * make processes invisible
> * hide promiscuous flag and syslog messages
> * execute as root
> * hide sysctl mib entries
> * netstat service hiding
> * authentication
> * module hiding
I can't use "ps" anymore ("cannot fork" or "segmentation fault - core dumped").
"rc.conf" was modified and three lines with "/bin/xterm" added. I deleted
this "xterm" program, since it was also created/modified by the worm.
"rc" itself shows the date of the infection, but I don't know, what was done.
Anything known? Any ideas what to do? Looking forward to pointers....
Rgds,
Stefan
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.2.20011114000437.02050a70>