Date: Fri, 9 May 2003 11:50:19 -0400 From: "Timothy R. Geier" <tgeier@acsmail.com> To: Peter Elsner <peter@servplex.com> Cc: freebsd-security@freebsd.org Subject: Re: Hacked? Message-ID: <200305091150.30237.tgeier@acsmail.com> In-Reply-To: <955A21A2-8229-11D7-B2CA-000393C94468@sarenet.es> References: <955A21A2-8229-11D7-B2CA-000393C94468@sarenet.es>
next in thread | previous in thread | raw e-mail | index | archive | help
--Boundary-02=_G58u+bZCGK47jWt
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline
On Friday 09 May 2003 10:21, Borja Marcos wrote:
> On Friday, May 9, 2003, at 16:07 Europe/Madrid, Peter Elsner wrote:
> > open("/dev/fd/.99/.ttyf00",0x0,0666) =3D 3 (0x3)
>
> Look at this. This is a rootkit. What is this file? :-) Probably the
> typical rootkit config file.
>
> The "strings" command was good at this, but I have seen lately some
> rootkits replacing the strings command. Truss seems to be safer, at
> least for now.
>
> > I'm not exactly sure what I'm looking at... Do you see anything out of
> > the ordinary?
>
> Yes, something like that :-)
>
> If you "truss" commands like netstat, ps, etc, I am sure you will find
> similar operations. Look for open system calls with weird filenames or
> files in weird places, like above.
>
>
>
>
> Borja.
>
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or=
g"
To add a few more thoughts to this, the most likely places for rootkit=20
configurations and possibly executables are hidden directories under /tmp,=
=20
/dev/, and /var/tmp. Of course, these are not the only possible places, bu=
t=20
they are the most popular. =20
Also, the use of nmap or another port scanner from a remote machine can=20
discover if the rootkit has left any backdoor ports open. Since you've=20
restored netstat, though, "netstat -l" should work just as well. After=20
determining if there are any backdoors, I would recommend removing the=20
compromised machine from any network(s) it is on and then performing a=20
detailed analysis, restoration, and hardening. An article on this process=
=20
can be found at http://www.securityfocus.com/infocus/1692.
=2D-=20
Timothy R. Geier, Systems Administrator
Advanced Communications Systems
tgeier@acsmail.com
--Boundary-02=_G58u+bZCGK47jWt
Content-Type: application/pgp-signature
Content-Description: signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (FreeBSD)
iD8DBQA+u85FBkUJ7Q/wZqgRAqF+AKCLoPvI7rKzEqtI5+44Y+USfjKbTACfXkYF
Kp7/k5nf80vu+3TQilK39/A=
=Ytfy
-----END PGP SIGNATURE-----
--Boundary-02=_G58u+bZCGK47jWt--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200305091150.30237.tgeier>