Date: Fri, 9 May 2003 16:21:54 +0200 From: Borja Marcos <borjamar@sarenet.es> To: Peter Elsner <peter@servplex.com> Cc: freebsd-security@freebsd.org Subject: Re: Hacked? Message-ID: <955A21A2-8229-11D7-B2CA-000393C94468@sarenet.es> In-Reply-To: <5.2.0.9.2.20030509090341.01796b58@mail.servplex.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Friday, May 9, 2003, at 16:07 Europe/Madrid, Peter Elsner wrote:
> open("/dev/fd/.99/.ttyf00",0x0,0666) = 3 (0x3)
Look at this. This is a rootkit. What is this file? :-) Probably the
typical rootkit config file.
The "strings" command was good at this, but I have seen lately some
rootkits replacing the strings command. Truss seems to be safer, at
least for now.
> I'm not exactly sure what I'm looking at... Do you see anything out of
> the ordinary?
Yes, something like that :-)
If you "truss" commands like netstat, ps, etc, I am sure you will find
similar operations. Look for open system calls with weird filenames or
files in weird places, like above.
Borja.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?955A21A2-8229-11D7-B2CA-000393C94468>