Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 13 Nov 2001 11:03:01 -0700
From:      "Don Sutter" <drs@suntreeaz.com>
To:        "Stefan Probst" <stefan.probst@opticom.v-nam.net>
Cc:        <freebsd-security@freebsd.org>
Subject:   Re: Adore worm
Message-ID:  <005a01c16c6d$6f2ade40$13fea8c0@drs>
References:  <5.1.0.14.2.20011114000437.02050a70@MailServer>
next in thread | previous in thread | raw e-mail | index | archive | help 
Has anyone tried looking at:
http://www.sophos.com/virusinfo/analyses/linuxadore.html?

----- Original Message -----
From: "Stefan Probst" <stefan.probst@opticom.v-nam.net>
To: <freebsd-security@FreeBSD.ORG>
Cc: "Rob Hurle" <rob@coombs.anu.edu.au>
Sent: Tuesday, November 13, 2001 10:13 AM
Subject: Adore worm


> Good Evening,
>
> sorry for newbie-posting, but I don't have too much time
to sift through
> archives....
>
> Looks like my FreeBSD 4.2 Box (FreeBSD 4.2-RELEASE
(GENERIC)) got hit by a
> worm - or infested by purpose:
>
> I found a new directory /usr/lib/.fx/
> which contains all kind of stuff.
> One README file says:
> >%cat README
> >                  AdoreBSD 0.34 - Based off Linux Adore
by Stealth
> >                       Copyright (c) 2001
bind@gravitino.net
> >
> >Developed on FreeBSD 4.3-STABLE
> >
> >Installation:
> >   # make; make load
> >
> >Features:
> >   * hide file or directory from view
> >   * make processes invisible
> >   * hide promiscuous flag and syslog messages
> >   * execute as root
> >   * hide sysctl mib entries
> >   * netstat service hiding
> >   * authentication
> >   * module hiding
>
> I can't use "ps" anymore ("cannot fork" or "segmentation
fault - core dumped").
> "rc.conf" was modified and three lines with "/bin/xterm"
added. I deleted
> this "xterm" program, since it was also created/modified
by the worm.
> "rc" itself shows the date of the infection, but I don't
know, what was done.
>
> Anything known? Any ideas what to do? Looking forward to
pointers....
> Rgds,
> Stefan
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the
message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?005a01c16c6d$6f2ade40$13fea8c0>