From owner-freebsd-security@FreeBSD.ORG Fri May 9 07:21:16 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 54AD737B401 for ; Fri, 9 May 2003 07:21:16 -0700 (PDT) Received: from sollube.sarenet.es (sollube.sarenet.es [192.148.167.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id B78D543FBF for ; Fri, 9 May 2003 07:21:15 -0700 (PDT) (envelope-from borjamar@sarenet.es) Received: from sarenet.es (zaphod2.sarenet.es [194.30.32.23]) by sollube.sarenet.es (Postfix) with ESMTP id B6268982DCE; Fri, 9 May 2003 16:21:14 +0200 (CEST) Date: Fri, 9 May 2003 16:21:54 +0200 Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v552) To: Peter Elsner From: Borja Marcos In-Reply-To: <5.2.0.9.2.20030509090341.01796b58@mail.servplex.com> Message-Id: <955A21A2-8229-11D7-B2CA-000393C94468@sarenet.es> Content-Transfer-Encoding: 7bit X-Mailer: Apple Mail (2.552) cc: freebsd-security@freebsd.org Subject: Re: Hacked? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 May 2003 14:21:16 -0000 On Friday, May 9, 2003, at 16:07 Europe/Madrid, Peter Elsner wrote: > open("/dev/fd/.99/.ttyf00",0x0,0666) = 3 (0x3) Look at this. This is a rootkit. What is this file? :-) Probably the typical rootkit config file. The "strings" command was good at this, but I have seen lately some rootkits replacing the strings command. Truss seems to be safer, at least for now. > I'm not exactly sure what I'm looking at... Do you see anything out of > the ordinary? Yes, something like that :-) If you "truss" commands like netstat, ps, etc, I am sure you will find similar operations. Look for open system calls with weird filenames or files in weird places, like above. Borja.