From owner-freebsd-security@FreeBSD.ORG Fri May 9 08:50:35 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C1D8D37B401 for ; Fri, 9 May 2003 08:50:35 -0700 (PDT) Received: from sparky.acsmail.com (acsmail.com [66.73.61.222]) by mx1.FreeBSD.org (Postfix) with ESMTP id B328B43F3F for ; Fri, 9 May 2003 08:50:34 -0700 (PDT) (envelope-from tgeier@acsmail.com) Received: from phoenix ([192.168.254.17]) by sparky.acsmail.com (8.12.5/8.12.5) with ESMTP id h49FoU2G018229; Fri, 9 May 2003 11:50:31 -0400 From: "Timothy R. Geier" Organization: Advanced Communications Systems To: Peter Elsner Date: Fri, 9 May 2003 11:50:19 -0400 User-Agent: KMail/1.5.1 References: <955A21A2-8229-11D7-B2CA-000393C94468@sarenet.es> In-Reply-To: <955A21A2-8229-11D7-B2CA-000393C94468@sarenet.es> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Boundary-02=_G58u+bZCGK47jWt"; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200305091150.30237.tgeier@acsmail.com> cc: freebsd-security@freebsd.org Subject: Re: Hacked? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 May 2003 15:50:36 -0000 --Boundary-02=_G58u+bZCGK47jWt Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Friday 09 May 2003 10:21, Borja Marcos wrote: > On Friday, May 9, 2003, at 16:07 Europe/Madrid, Peter Elsner wrote: > > open("/dev/fd/.99/.ttyf00",0x0,0666) =3D 3 (0x3) > > Look at this. This is a rootkit. What is this file? :-) Probably the > typical rootkit config file. > > The "strings" command was good at this, but I have seen lately some > rootkits replacing the strings command. Truss seems to be safer, at > least for now. > > > I'm not exactly sure what I'm looking at... Do you see anything out of > > the ordinary? > > Yes, something like that :-) > > If you "truss" commands like netstat, ps, etc, I am sure you will find > similar operations. Look for open system calls with weird filenames or > files in weird places, like above. > > > > > Borja. > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" To add a few more thoughts to this, the most likely places for rootkit=20 configurations and possibly executables are hidden directories under /tmp,= =20 /dev/, and /var/tmp. Of course, these are not the only possible places, bu= t=20 they are the most popular. =20 Also, the use of nmap or another port scanner from a remote machine can=20 discover if the rootkit has left any backdoor ports open. Since you've=20 restored netstat, though, "netstat -l" should work just as well. After=20 determining if there are any backdoors, I would recommend removing the=20 compromised machine from any network(s) it is on and then performing a=20 detailed analysis, restoration, and hardening. An article on this process= =20 can be found at http://www.securityfocus.com/infocus/1692. =2D-=20 Timothy R. Geier, Systems Administrator Advanced Communications Systems tgeier@acsmail.com --Boundary-02=_G58u+bZCGK47jWt Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQA+u85FBkUJ7Q/wZqgRAqF+AKCLoPvI7rKzEqtI5+44Y+USfjKbTACfXkYF Kp7/k5nf80vu+3TQilK39/A= =Ytfy -----END PGP SIGNATURE----- --Boundary-02=_G58u+bZCGK47jWt--