Date: Tue, 13 Nov 2001 22:10:05 +0100 From: Axel Scheepers <axel@axel.truedestiny.net> To: Stefan Probst <stefan.probst@opticom.v-nam.net> Cc: freebsd-security@FreeBSD.org Subject: Re: Adore worm Message-ID: <20011113221005.C19098@mars.thuis> In-Reply-To: <5.1.0.14.2.20011114005803.0207ed70@MailServer>; from stefan.probst@opticom.v-nam.net on Wed, Nov 14, 2001 at 01:01:27AM %2B0700 References: <XFMail.011113092233.jhb@FreeBSD.org> <5.1.0.14.2.20011114000437.02050a70@MailServer> <XFMail.011113092233.jhb@FreeBSD.org> <20011113185452.B19098@mars.thuis> <5.1.0.14.2.20011114005803.0207ed70@MailServer>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, I think you should try to get someone who does a quick reinstall, since someone clearly got in and important binaries are replaced by trojan ones. (Imagine a make world with a dirty gcc for example) After the install use ssh to log in, and disable anything you don't use in /etc/inetd.conf. (Or use the tcpwrappers and edit /etc/hosts.allow) Furthermore I suggest you use a firewall like ipfw or ipfilter to block and log unwanted traffic, but this requires a custom kernel. (See /usr/src/i386/conf/ and the handbook) Gr, Axel On Wed, Nov 14, 2001 at 01:01:27AM +0700, Stefan Probst wrote: > X-Mailer: QUALCOMM Windows Eudora Version 5.1 > Date: Wed, 14 Nov 2001 01:01:27 +0700 > To: Axel Scheepers <axel@axel.truedestiny.net>, > John Baldwin <jhb@FreeBSD.org> > From: Stefan Probst <stefan.probst@opticom.v-nam.net> > Subject: Re: Adore worm > Cc: Rob Hurle <rob@coombs.anu.edu.au>, freebsd-security@FreeBSD.org > > Thanks everybody for "encouraging" answers so far. > > I am in Vietnam, and the box is a dedicated server in the US :( > > There was nearly nothing installed, when I got it about two months ago, and > I installed several packages - all of them downloaded from the original > sites, in order to be sure to get the latest version. > > Will go to bed now and pray..... > I still can telnet to the box. > Maybe somebody finds an idea what to do... > Will see at my eMail tomorrow. > > Good Night! > Stefan > > > At 18:54 13.11.2001 +0100, Axel Scheepers wrote: > ------------------------- > >Hi, > >Best thing to do is to 'pull the plug' immediately (your net connection). > >Backup up the machine for later inspection, then reinstall fBSD and if > >you got a seprate data backup put that back. > >Then you might put the previous made backup on a clean machine for inspection. > >Usual vulnerable things like telnet, ftp etc. is a good place to start looking > >for in your logs. (In case you didn't block them) > >Gr, > >Axel > > > >On Tue, Nov 13, 2001 at 09:22:33AM -0800, John Baldwin wrote: > > > X-Mailer: XFMail 1.4.0 on FreeBSD > > > Date: Tue, 13 Nov 2001 09:22:33 -0800 (PST) > > > From: John Baldwin <jhb@FreeBSD.org> > > > To: Stefan Probst <stefan.probst@opticom.v-nam.net> > > > Subject: RE: Adore worm > > > Cc: Rob Hurle <rob@coombs.anu.edu.au>, freebsd-security@FreeBSD.ORG > > > > > > > > > On 13-Nov-01 Stefan Probst wrote: > > > > Good Evening, > > > > > > > > sorry for newbie-posting, but I don't have too much time to sift through > > > > archives.... > > > > > > > > Looks like my FreeBSD 4.2 Box (FreeBSD 4.2-RELEASE (GENERIC)) got hit > > by a > > > > worm - or infested by purpose: > > > > > > It's a rootkit, and your box has been compromised. Backup your data and > > > reinstall unless someone else has a better idea. > > > > > > -- > > > > > > John Baldwin <jhb@FreeBSD.org> -- http://www.FreeBSD.org/~jhb/ > > > "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > >-- > >Axel Scheepers > >UNIX System Administrator > > > >email: axel@axel.truedestiny.net > > ascheepers@vianetworks.nl > >http://axel.truedestiny.net/~axel > >------------------------------------------ > >"I can't complain, but sometimes I still do." > > -- Joe Walsh > >------------------------------------------ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Axel Scheepers UNIX System Administrator email: axel@axel.truedestiny.net ascheepers@vianetworks.nl http://axel.truedestiny.net/~axel ------------------------------------------ "What is the robbing of a bank compared to the FOUNDING of a bank?" -- Bertold Brecht ------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011113221005.C19098>