From owner-freebsd-security  Tue Nov 13  9:40:37 2001
Delivered-To: freebsd-security@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP id 6C8F037B416
	for <freebsd-security@FreeBSD.org>; Tue, 13 Nov 2001 09:40:33 -0800 (PST)
Received: from localhost (arr@localhost)
	by fledge.watson.org (8.11.6/8.11.5) with SMTP id fADHdqJ48373;
	Tue, 13 Nov 2001 12:39:52 -0500 (EST)
	(envelope-from arr@FreeBSD.org)
X-Authentication-Warning: fledge.watson.org: arr owned process doing -bs
Date: Tue, 13 Nov 2001 12:39:51 -0500 (EST)
From: "Andrew R. Reiter" <arr@FreeBSD.org>
X-Sender: arr@fledge.watson.org
To: Stefan Probst <stefan.probst@opticom.v-nam.net>
Cc: freebsd-security@FreeBSD.org, Rob Hurle <rob@coombs.anu.edu.au>
Subject: Re: Adore worm
In-Reply-To: <5.1.0.14.2.20011114000437.02050a70@MailServer>
Message-ID: <Pine.NEB.3.96L.1011113123918.48186A-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


It's not a worm, unless it's part of a larger system, it is a backdoor.
I'd reinstall.

On Wed, 14 Nov 2001, Stefan Probst wrote:

:Good Evening,
:
:sorry for newbie-posting, but I don't have too much time to sift through 
:archives....
:
:Looks like my FreeBSD 4.2 Box (FreeBSD 4.2-RELEASE (GENERIC)) got hit by a 
:worm - or infested by purpose:
:
:I found a new directory /usr/lib/.fx/
:which contains all kind of stuff.
:One README file says:
:>%cat README
:>                  AdoreBSD 0.34 - Based off Linux Adore by Stealth
:>                       Copyright (c) 2001 bind@gravitino.net
:>
:>Developed on FreeBSD 4.3-STABLE
:>
:>Installation:
:>   # make; make load
:>
:>Features:
:>   * hide file or directory from view
:>   * make processes invisible
:>   * hide promiscuous flag and syslog messages
:>   * execute as root
:>   * hide sysctl mib entries
:>   * netstat service hiding
:>   * authentication
:>   * module hiding
:
:I can't use "ps" anymore ("cannot fork" or "segmentation fault - core dumped").
:"rc.conf" was modified and three lines with "/bin/xterm" added. I deleted 
:this "xterm" program, since it was also created/modified by the worm.
:"rc" itself shows the date of the infection, but I don't know, what was done.
:
:Anything known? Any ideas what to do? Looking forward to pointers....
:Rgds,
:Stefan
:
:
:To Unsubscribe: send mail to majordomo@FreeBSD.org
:with "unsubscribe freebsd-security" in the body of the message
:

--
Andrew R. Reiter
arr@watson.org
arr@FreeBSD.org


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message