From owner-freebsd-security Tue Nov 13 10: 3:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from raven.mail.pas.earthlink.net (raven.mail.pas.earthlink.net [207.217.120.39]) by hub.freebsd.org (Postfix) with ESMTP id E7BF537B405 for ; Tue, 13 Nov 2001 10:03:25 -0800 (PST) Received: from cpe-24-221-47-19.az.sprintbbd.net ([24.221.47.19] helo=sparky.suntreeaz.com) by raven.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 163hu9-0007IZ-00; Tue, 13 Nov 2001 10:03:25 -0800 Received: from drs (drs.suntreeaz.com [192.168.254.19]) by sparky.suntreeaz.com (8.11.3/8.11.3) with SMTP id fADI2wD14436; Tue, 13 Nov 2001 11:02:58 -0700 (MST) (envelope-from drs@suntreeaz.com) Message-ID: <005a01c16c6d$6f2ade40$13fea8c0@drs> From: "Don Sutter" To: "Stefan Probst" Cc: References: <5.1.0.14.2.20011114000437.02050a70@MailServer> Subject: Re: Adore worm Date: Tue, 13 Nov 2001 11:03:01 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Has anyone tried looking at: http://www.sophos.com/virusinfo/analyses/linuxadore.html? ----- Original Message ----- From: "Stefan Probst" To: Cc: "Rob Hurle" Sent: Tuesday, November 13, 2001 10:13 AM Subject: Adore worm > Good Evening, > > sorry for newbie-posting, but I don't have too much time to sift through > archives.... > > Looks like my FreeBSD 4.2 Box (FreeBSD 4.2-RELEASE (GENERIC)) got hit by a > worm - or infested by purpose: > > I found a new directory /usr/lib/.fx/ > which contains all kind of stuff. > One README file says: > >%cat README > > AdoreBSD 0.34 - Based off Linux Adore by Stealth > > Copyright (c) 2001 bind@gravitino.net > > > >Developed on FreeBSD 4.3-STABLE > > > >Installation: > > # make; make load > > > >Features: > > * hide file or directory from view > > * make processes invisible > > * hide promiscuous flag and syslog messages > > * execute as root > > * hide sysctl mib entries > > * netstat service hiding > > * authentication > > * module hiding > > I can't use "ps" anymore ("cannot fork" or "segmentation fault - core dumped"). > "rc.conf" was modified and three lines with "/bin/xterm" added. I deleted > this "xterm" program, since it was also created/modified by the worm. > "rc" itself shows the date of the infection, but I don't know, what was done. > > Anything known? Any ideas what to do? Looking forward to pointers.... > Rgds, > Stefan > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message