Date: Fri, 09 May 2003 10:45:20 -0500 From: Peter Elsner <peter@servplex.com> To: Julian Elischer <julian@elischer.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Hacked? Message-ID: <5.2.0.9.2.20030509104258.017c6b50@mail.servplex.com> In-Reply-To: <Pine.BSF.4.21.0305090837260.4662-100000@InterJet.elischer. org> References: <5.2.0.9.2.20030509090341.01796b58@mail.servplex.com>
next in thread | previous in thread | raw e-mail | index | archive | help
here's what's in /dev/fd/.99
# cd /dev/fd/.99
# ll
-rw-r--r-- 1 root wheel 70 May 2 18:05 .ttyf00
The contents of that file are:
# more .ttyf00
.99
.ttyf00
.ttyp00
in.inetd
sshd
/sbin/sshd
/usr/sbin/in.inetd
.fx
I have already restored my ls and now my dates are back to normal... I
have also restored netstat.
I am now going to do a complete re-install of all binaries...
Before I do, let me know if there's anything else you need...
Peter
At 08:40 AM 5/9/2003 -0700, you wrote:
>Back your system up before wiping it (to maintain eveidence)
>then run New copies of netstat and ps to look for hidden backdoor
>programs. In particular loook for anything that might install
>kernel modules.. There are now malicious kernel modules :-(
>
>the contents of the config file in /dev/fd/99 would be interesting ;-)
>
>On Fri, 9 May 2003, Peter Elsner wrote:
>
> > Thanks,
> >
> > Here's the output of truss ls
> >
> > mmap(0x0,1968,0x3,0x1000,-1,0x0) = 671490048 (0x28062000)
> > munmap(0x28062000,0x7b0) = 0 (0x0)
> > __sysctl(0xbfbffab4,0x2,0x280609a8,0xbfbffab0,0x0,0x0) = 0 (0x0)
> > mmap(0x0,32768,0x3,0x1002,-1,0x0) = 671490048 (0x28062000)
> > geteuid() = 0 (0x0)
> > getuid() = 0 (0x0)
> > getegid() = 0 (0x0)
> > getgid() = 0 (0x0)
> > open("/var/run/ld-elf.so.hints",0x0,00) = 3 (0x3)
> > read(0x3,0xbfbffa94,0x80) = 128 (0x80)
> > lseek(3,0x80,0) = 128 (0x80)
> > read(0x3,0x28067000,0x53) = 83 (0x53)
> > close(3) = 0 (0x0)
> > access("/usr/lib/libncurses.so.5",0) = 0 (0x0)
> > open("/usr/lib/libncurses.so.5",0x0,027757775414) = 3 (0x3)
> > fstat(3,0xbfbffadc) = 0 (0x0)
> > read(0x3,0xbfbfeaac,0x1000) = 4096 (0x1000)
> > mmap(0x0,266240,0x5,0x2,3,0x0) = 671522816 (0x2806a000)
> > mmap(0x2809f000,36864,0x3,0x12,3,0x34000) = 671739904 (0x2809f000)
> > mmap(0x280a8000,12288,0x3,0x1012,-1,0x0) = 671776768 (0x280a8000)
> > close(3) = 0 (0x0)
> > access("/usr/lib/libc.so.4",0) = 0 (0x0)
> > open("/usr/lib/libc.so.4",0x0,027757775414) = 3 (0x3)
> > fstat(3,0xbfbffadc) = 0 (0x0)
> > read(0x3,0xbfbfeaac,0x1000) = 4096 (0x1000)
> > mmap(0x0,626688,0x5,0x2,3,0x0) = 671789056 (0x280ab000)
> > mmap(0x2812c000,20480,0x3,0x12,3,0x80000) = 672317440 (0x2812c000)
> > mmap(0x28131000,77824,0x3,0x1012,-1,0x0) = 672337920 (0x28131000)
> > close(3) = 0 (0x0)
> > mmap(0x0,608,0x3,0x1000,-1,0x0) = 672415744 (0x28144000)
> > munmap(0x28144000,0x260) = 0 (0x0)
> > mmap(0x0,4576,0x3,0x1000,-1,0x0) = 672415744 (0x28144000)
> > munmap(0x28144000,0x11e0) = 0 (0x0)
> > mmap(0x0,13304,0x3,0x1000,-1,0x0) = 672415744 (0x28144000)
> > munmap(0x28144000,0x33f8) = 0 (0x0)
> > sigaction(SIGILL,0xbfbffb34,0xbfbffb1c) = 0 (0x0)
> > sigprocmask(0x1,0x0,0x280608dc) = 0 (0x0)
> > sigaction(SIGILL,0xbfbffb1c,0x0) = 0 (0x0)
> > sigprocmask(0x1,0x280608a0,0xbfbffb5c) = 0 (0x0)
> > sigprocmask(0x3,0x280608b0,0x0) = 0 (0x0)
> > readlink("/etc/malloc.conf",0xbfbff3d8,63) ERR#2 'No such file or
> > director
> > y'
> > mmap(0x0,4096,0x3,0x1002,-1,0x0) = 672415744 (0x28144000)
> > break(0x804f000) = 0 (0x0)
> > break(0x8050000) = 0 (0x0)
> > open("/dev/fd/.99/.ttyf00",0x0,0666) = 3 (0x3)
> > fstat(3,0xbfbff348) = 0 (0x0)
> > break(0x8054000) = 0 (0x0)
> > read(0x3,0x8050000,0x4000) = 70 (0x46)
> > break(0x8055000) = 0 (0x0)
> > read(0x3,0x8050000,0x4000) = 0 (0x0)
> > close(3) = 0 (0x0)
> > ioctl(1,TIOCGETA,0xbfbff54c) = 0 (0x0)
> > ioctl(1,TIOCGWINSZ,0xbfbff5b0) = 0 (0x0)
> > getuid() = 0 (0x0)
> > stat(".",0xbfbff498) = 0 (0x0)
> > open(".",0x0,00) = 3 (0x3)
> > fchdir(0x3) = 0 (0x0)
> > open(".",0x0,00) = 4 (0x4)
> > stat(".",0xbfbff448) = 0 (0x0)
> > open(".",0x4,05001215475) = 5 (0x5)
> > fstat(5,0xbfbff448) = 0 (0x0)
> > fcntl(0x5,0x2,0x1) = 0 (0x0)
> > __sysctl(0xbfbff300,0x2,0x28142300,0xbfbff2fc,0x0,0x0) = 0 (0x0)
> > fstatfs(0x5,0xbfbff348) = 0 (0x0)
> > getdirentries(0x5,0x8053000,0x1000,0x804e0f4) = 1024 (0x400)
> > break(0x8056000) = 0 (0x0)
> > getdirentries(0x5,0x8053000,0x1000,0x804e0f4) = 0 (0x0)
> > lseek(5,0x0,0) = 0 (0x0)
> > close(5) = 0 (0x0)
> > fchdir(0x4) = 0 (0x0)
> > close(4) = 0 (0x0)
> > fstat(1,0xbfbff278) = 0 (0x0)
> > break(0x8057000) = 0 (0x0)
> > ioctl(1,TIOCGETA,0xbfbff2ac) = 0 (0x0)
> > ._Lonetar cgi kernel.GENERIC modules.old sys
> > write(1,0x8056000,46) = 46 (0x2e)
> > .cshrc compat kernel.old old tmp
> > write(1,0x8056000,36) = 36 (0x24)
> > .profile dev lib proc usr
> > write(1,0x8056000,29) = 29 (0x1d)
> > COPYRIGHT dist log ris_datalogs var
> > write(1,0x8056000,38) = 38 (0x26)
> > bin etc logfiles root www
> > write(1,0x8056000,29) = 29 (0x1d)
> > boot home mnt sbin
> > write(1,0x8056000,22) = 22 (0x16)
> > cdrom kernel modules stand
> > write(1,0x8056000,30) = 30 (0x1e)
> > exit(0x0) process exit, rval = 0
> >
> > I'm not exactly sure what I'm looking at... Do you see anything out of the
> > ordinary?
> >
> > Thanks again...
> >
> > PS: I also did an md5 /usr/bin/netstat and got back the following:
> >
> > MD5 (/usr/bin/netstat) = b008226a10f92a397b2d3a045116343c
> >
> > Then I went back to my other box (at the office), and did the same thing...
> >
> > MD5 (/usr/bin/netstat) = 9fdb023cf58ded3cb03fabe0acf04145
> >
> > They are different... I also just noticed that one of our customers got
> the
> > same security email this morning,
> > with the setuid differences... Also running 4.7-RELEASE...
> >
> > Peter
> >
> >
> >
> >
> > At 03:46 PM 5/9/2003 +0200, you wrote:
> > >>Notice the f in place of the date? What does that mean?
> > >
> > > Perhaps someone has installed a different ls command (and,
> > > presumably, others). Try doing "truss ls" to see if it is reading any
> > > sort of strange file. Rootkits use to have configuration files hidden in
> > > weird places.
> > >
> > >
> > >
> > >
> > > Borja.
> >
> >
> ----------------------------------------------------------------------------------------------------------
> > Peter Elsner <peter@servplex.com>
> > Vice President Of Customer Service (And System Administrator)
> > 1835 S. Carrier Parkway
> > Grand Prairie, Texas 75051
> > (972) 263-2080 - Voice
> > (972) 263-2082 - Fax
> > (972) 489-4838 - Cell Phone
> > (425) 988-8061 - eFax
> >
> > I worry about my child and the Internet all the time, even though she's
> > too young to have logged on yet. Here's what I worry about. I worry
> > that 10 or 15 years from now, she will come to me and say "Daddy, where
> > were you when they took freedom of the press away from the Internet?"
> > -- Mike Godwin
> >
> > Unix IS user friendly... It's just selective about who its friends are.
> > System Administration - It's a dirty job, but somebody said I had to do it.
> > If you receive something that says 'Send this to everyone you know,
> > pretend you don't know me.
> >
> > Standard $500/message proofreading fee applies for UCE.
> >
> >
> > _______________________________________________
> > freebsd-security@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-security
> > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
> >
----------------------------------------------------------------------------------------------------------
Peter Elsner <peter@servplex.com>
Vice President Of Customer Service (And System Administrator)
1835 S. Carrier Parkway
Grand Prairie, Texas 75051
(972) 263-2080 - Voice
(972) 263-2082 - Fax
(972) 489-4838 - Cell Phone
(425) 988-8061 - eFax
I worry about my child and the Internet all the time, even though she's
too young to have logged on yet. Here's what I worry about. I worry
that 10 or 15 years from now, she will come to me and say "Daddy, where
were you when they took freedom of the press away from the Internet?"
-- Mike Godwin
Unix IS user friendly... It's just selective about who its friends are.
System Administration - It's a dirty job, but somebody said I had to do it.
If you receive something that says 'Send this to everyone you know,
pretend you don't know me.
Standard $500/message proofreading fee applies for UCE.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.2.0.9.2.20030509104258.017c6b50>