From owner-freebsd-security@FreeBSD.ORG Fri May 9 08:45:43 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7FE6D37B401 for ; Fri, 9 May 2003 08:45:43 -0700 (PDT) Received: from spxgate.servplex.com (ip66-105-58-82.z58-105-66.customer.algx.net [66.105.58.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0A28943F3F for ; Fri, 9 May 2003 08:45:34 -0700 (PDT) (envelope-from peter@servplex.com) Received: from peter.servplex.com ([192.168.0.10]) by spxgate.servplex.com (8.12.8/8.12.6) with ESMTP id h49FuCIM093639; Fri, 9 May 2003 10:56:12 -0500 (CDT) (envelope-from peter@servplex.com) Message-Id: <5.2.0.9.2.20030509104258.017c6b50@mail.servplex.com> X-Sender: peter@mail.servplex.com X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Fri, 09 May 2003 10:45:20 -0500 To: Julian Elischer From: Peter Elsner In-Reply-To: References: <5.2.0.9.2.20030509090341.01796b58@mail.servplex.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed cc: freebsd-security@FreeBSD.ORG Subject: Re: Hacked? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 May 2003 15:45:43 -0000 here's what's in /dev/fd/.99 # cd /dev/fd/.99 # ll -rw-r--r-- 1 root wheel 70 May 2 18:05 .ttyf00 The contents of that file are: # more .ttyf00 .99 .ttyf00 .ttyp00 in.inetd sshd /sbin/sshd /usr/sbin/in.inetd .fx I have already restored my ls and now my dates are back to normal... I have also restored netstat. I am now going to do a complete re-install of all binaries... Before I do, let me know if there's anything else you need... Peter At 08:40 AM 5/9/2003 -0700, you wrote: >Back your system up before wiping it (to maintain eveidence) >then run New copies of netstat and ps to look for hidden backdoor >programs. In particular loook for anything that might install >kernel modules.. There are now malicious kernel modules :-( > >the contents of the config file in /dev/fd/99 would be interesting ;-) > >On Fri, 9 May 2003, Peter Elsner wrote: > > > Thanks, > > > > Here's the output of truss ls > > > > mmap(0x0,1968,0x3,0x1000,-1,0x0) = 671490048 (0x28062000) > > munmap(0x28062000,0x7b0) = 0 (0x0) > > __sysctl(0xbfbffab4,0x2,0x280609a8,0xbfbffab0,0x0,0x0) = 0 (0x0) > > mmap(0x0,32768,0x3,0x1002,-1,0x0) = 671490048 (0x28062000) > > geteuid() = 0 (0x0) > > getuid() = 0 (0x0) > > getegid() = 0 (0x0) > > getgid() = 0 (0x0) > > open("/var/run/ld-elf.so.hints",0x0,00) = 3 (0x3) > > read(0x3,0xbfbffa94,0x80) = 128 (0x80) > > lseek(3,0x80,0) = 128 (0x80) > > read(0x3,0x28067000,0x53) = 83 (0x53) > > close(3) = 0 (0x0) > > access("/usr/lib/libncurses.so.5",0) = 0 (0x0) > > open("/usr/lib/libncurses.so.5",0x0,027757775414) = 3 (0x3) > > fstat(3,0xbfbffadc) = 0 (0x0) > > read(0x3,0xbfbfeaac,0x1000) = 4096 (0x1000) > > mmap(0x0,266240,0x5,0x2,3,0x0) = 671522816 (0x2806a000) > > mmap(0x2809f000,36864,0x3,0x12,3,0x34000) = 671739904 (0x2809f000) > > mmap(0x280a8000,12288,0x3,0x1012,-1,0x0) = 671776768 (0x280a8000) > > close(3) = 0 (0x0) > > access("/usr/lib/libc.so.4",0) = 0 (0x0) > > open("/usr/lib/libc.so.4",0x0,027757775414) = 3 (0x3) > > fstat(3,0xbfbffadc) = 0 (0x0) > > read(0x3,0xbfbfeaac,0x1000) = 4096 (0x1000) > > mmap(0x0,626688,0x5,0x2,3,0x0) = 671789056 (0x280ab000) > > mmap(0x2812c000,20480,0x3,0x12,3,0x80000) = 672317440 (0x2812c000) > > mmap(0x28131000,77824,0x3,0x1012,-1,0x0) = 672337920 (0x28131000) > > close(3) = 0 (0x0) > > mmap(0x0,608,0x3,0x1000,-1,0x0) = 672415744 (0x28144000) > > munmap(0x28144000,0x260) = 0 (0x0) > > mmap(0x0,4576,0x3,0x1000,-1,0x0) = 672415744 (0x28144000) > > munmap(0x28144000,0x11e0) = 0 (0x0) > > mmap(0x0,13304,0x3,0x1000,-1,0x0) = 672415744 (0x28144000) > > munmap(0x28144000,0x33f8) = 0 (0x0) > > sigaction(SIGILL,0xbfbffb34,0xbfbffb1c) = 0 (0x0) > > sigprocmask(0x1,0x0,0x280608dc) = 0 (0x0) > > sigaction(SIGILL,0xbfbffb1c,0x0) = 0 (0x0) > > sigprocmask(0x1,0x280608a0,0xbfbffb5c) = 0 (0x0) > > sigprocmask(0x3,0x280608b0,0x0) = 0 (0x0) > > readlink("/etc/malloc.conf",0xbfbff3d8,63) ERR#2 'No such file or > > director > > y' > > mmap(0x0,4096,0x3,0x1002,-1,0x0) = 672415744 (0x28144000) > > break(0x804f000) = 0 (0x0) > > break(0x8050000) = 0 (0x0) > > open("/dev/fd/.99/.ttyf00",0x0,0666) = 3 (0x3) > > fstat(3,0xbfbff348) = 0 (0x0) > > break(0x8054000) = 0 (0x0) > > read(0x3,0x8050000,0x4000) = 70 (0x46) > > break(0x8055000) = 0 (0x0) > > read(0x3,0x8050000,0x4000) = 0 (0x0) > > close(3) = 0 (0x0) > > ioctl(1,TIOCGETA,0xbfbff54c) = 0 (0x0) > > ioctl(1,TIOCGWINSZ,0xbfbff5b0) = 0 (0x0) > > getuid() = 0 (0x0) > > stat(".",0xbfbff498) = 0 (0x0) > > open(".",0x0,00) = 3 (0x3) > > fchdir(0x3) = 0 (0x0) > > open(".",0x0,00) = 4 (0x4) > > stat(".",0xbfbff448) = 0 (0x0) > > open(".",0x4,05001215475) = 5 (0x5) > > fstat(5,0xbfbff448) = 0 (0x0) > > fcntl(0x5,0x2,0x1) = 0 (0x0) > > __sysctl(0xbfbff300,0x2,0x28142300,0xbfbff2fc,0x0,0x0) = 0 (0x0) > > fstatfs(0x5,0xbfbff348) = 0 (0x0) > > getdirentries(0x5,0x8053000,0x1000,0x804e0f4) = 1024 (0x400) > > break(0x8056000) = 0 (0x0) > > getdirentries(0x5,0x8053000,0x1000,0x804e0f4) = 0 (0x0) > > lseek(5,0x0,0) = 0 (0x0) > > close(5) = 0 (0x0) > > fchdir(0x4) = 0 (0x0) > > close(4) = 0 (0x0) > > fstat(1,0xbfbff278) = 0 (0x0) > > break(0x8057000) = 0 (0x0) > > ioctl(1,TIOCGETA,0xbfbff2ac) = 0 (0x0) > > ._Lonetar cgi kernel.GENERIC modules.old sys > > write(1,0x8056000,46) = 46 (0x2e) > > .cshrc compat kernel.old old tmp > > write(1,0x8056000,36) = 36 (0x24) > > .profile dev lib proc usr > > write(1,0x8056000,29) = 29 (0x1d) > > COPYRIGHT dist log ris_datalogs var > > write(1,0x8056000,38) = 38 (0x26) > > bin etc logfiles root www > > write(1,0x8056000,29) = 29 (0x1d) > > boot home mnt sbin > > write(1,0x8056000,22) = 22 (0x16) > > cdrom kernel modules stand > > write(1,0x8056000,30) = 30 (0x1e) > > exit(0x0) process exit, rval = 0 > > > > I'm not exactly sure what I'm looking at... Do you see anything out of the > > ordinary? > > > > Thanks again... > > > > PS: I also did an md5 /usr/bin/netstat and got back the following: > > > > MD5 (/usr/bin/netstat) = b008226a10f92a397b2d3a045116343c > > > > Then I went back to my other box (at the office), and did the same thing... > > > > MD5 (/usr/bin/netstat) = 9fdb023cf58ded3cb03fabe0acf04145 > > > > They are different... I also just noticed that one of our customers got > the > > same security email this morning, > > with the setuid differences... Also running 4.7-RELEASE... > > > > Peter > > > > > > > > > > At 03:46 PM 5/9/2003 +0200, you wrote: > > >>Notice the f in place of the date? What does that mean? > > > > > > Perhaps someone has installed a different ls command (and, > > > presumably, others). Try doing "truss ls" to see if it is reading any > > > sort of strange file. Rootkits use to have configuration files hidden in > > > weird places. > > > > > > > > > > > > > > > Borja. > > > > > ---------------------------------------------------------------------------------------------------------- > > Peter Elsner > > Vice President Of Customer Service (And System Administrator) > > 1835 S. Carrier Parkway > > Grand Prairie, Texas 75051 > > (972) 263-2080 - Voice > > (972) 263-2082 - Fax > > (972) 489-4838 - Cell Phone > > (425) 988-8061 - eFax > > > > I worry about my child and the Internet all the time, even though she's > > too young to have logged on yet. Here's what I worry about. I worry > > that 10 or 15 years from now, she will come to me and say "Daddy, where > > were you when they took freedom of the press away from the Internet?" > > -- Mike Godwin > > > > Unix IS user friendly... It's just selective about who its friends are. > > System Administration - It's a dirty job, but somebody said I had to do it. > > If you receive something that says 'Send this to everyone you know, > > pretend you don't know me. > > > > Standard $500/message proofreading fee applies for UCE. > > > > > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > ---------------------------------------------------------------------------------------------------------- Peter Elsner Vice President Of Customer Service (And System Administrator) 1835 S. Carrier Parkway Grand Prairie, Texas 75051 (972) 263-2080 - Voice (972) 263-2082 - Fax (972) 489-4838 - Cell Phone (425) 988-8061 - eFax I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin Unix IS user friendly... It's just selective about who its friends are. System Administration - It's a dirty job, but somebody said I had to do it. If you receive something that says 'Send this to everyone you know, pretend you don't know me. Standard $500/message proofreading fee applies for UCE.