From owner-freebsd-security Tue Nov 13 13:10:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from axel.truedestiny.net (b76168.upc-b.chello.nl [212.83.76.168]) by hub.freebsd.org (Postfix) with ESMTP id AC79637B417 for ; Tue, 13 Nov 2001 13:10:09 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by axel.truedestiny.net (Postfix) with ESMTP id 05D7F49A24; Tue, 13 Nov 2001 22:10:08 +0100 (CET) Received: by axel.truedestiny.net (Postfix, from userid 1000) id 6596849A23; Tue, 13 Nov 2001 22:10:05 +0100 (CET) Date: Tue, 13 Nov 2001 22:10:05 +0100 From: Axel Scheepers To: Stefan Probst Cc: freebsd-security@FreeBSD.org Subject: Re: Adore worm Message-ID: <20011113221005.C19098@mars.thuis> Reply-To: Axel Scheepers References: <5.1.0.14.2.20011114000437.02050a70@MailServer> <20011113185452.B19098@mars.thuis> <5.1.0.14.2.20011114005803.0207ed70@MailServer> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.1.0.14.2.20011114005803.0207ed70@MailServer>; from stefan.probst@opticom.v-nam.net on Wed, Nov 14, 2001 at 01:01:27AM +0700 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I think you should try to get someone who does a quick reinstall, since someone clearly got in and important binaries are replaced by trojan ones. (Imagine a make world with a dirty gcc for example) After the install use ssh to log in, and disable anything you don't use in /etc/inetd.conf. (Or use the tcpwrappers and edit /etc/hosts.allow) Furthermore I suggest you use a firewall like ipfw or ipfilter to block and log unwanted traffic, but this requires a custom kernel. (See /usr/src/i386/conf/ and the handbook) Gr, Axel On Wed, Nov 14, 2001 at 01:01:27AM +0700, Stefan Probst wrote: > X-Mailer: QUALCOMM Windows Eudora Version 5.1 > Date: Wed, 14 Nov 2001 01:01:27 +0700 > To: Axel Scheepers , > John Baldwin > From: Stefan Probst > Subject: Re: Adore worm > Cc: Rob Hurle , freebsd-security@FreeBSD.org > > Thanks everybody for "encouraging" answers so far. > > I am in Vietnam, and the box is a dedicated server in the US :( > > There was nearly nothing installed, when I got it about two months ago, and > I installed several packages - all of them downloaded from the original > sites, in order to be sure to get the latest version. > > Will go to bed now and pray..... > I still can telnet to the box. > Maybe somebody finds an idea what to do... > Will see at my eMail tomorrow. > > Good Night! > Stefan > > > At 18:54 13.11.2001 +0100, Axel Scheepers wrote: > ------------------------- > >Hi, > >Best thing to do is to 'pull the plug' immediately (your net connection). > >Backup up the machine for later inspection, then reinstall fBSD and if > >you got a seprate data backup put that back. > >Then you might put the previous made backup on a clean machine for inspection. > >Usual vulnerable things like telnet, ftp etc. is a good place to start looking > >for in your logs. (In case you didn't block them) > >Gr, > >Axel > > > >On Tue, Nov 13, 2001 at 09:22:33AM -0800, John Baldwin wrote: > > > X-Mailer: XFMail 1.4.0 on FreeBSD > > > Date: Tue, 13 Nov 2001 09:22:33 -0800 (PST) > > > From: John Baldwin > > > To: Stefan Probst > > > Subject: RE: Adore worm > > > Cc: Rob Hurle , freebsd-security@FreeBSD.ORG > > > > > > > > > On 13-Nov-01 Stefan Probst wrote: > > > > Good Evening, > > > > > > > > sorry for newbie-posting, but I don't have too much time to sift through > > > > archives.... > > > > > > > > Looks like my FreeBSD 4.2 Box (FreeBSD 4.2-RELEASE (GENERIC)) got hit > > by a > > > > worm - or infested by purpose: > > > > > > It's a rootkit, and your box has been compromised. Backup your data and > > > reinstall unless someone else has a better idea. > > > > > > -- > > > > > > John Baldwin -- http://www.FreeBSD.org/~jhb/ > > > "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > >-- > >Axel Scheepers > >UNIX System Administrator > > > >email: axel@axel.truedestiny.net > > ascheepers@vianetworks.nl > >http://axel.truedestiny.net/~axel > >------------------------------------------ > >"I can't complain, but sometimes I still do." > > -- Joe Walsh > >------------------------------------------ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Axel Scheepers UNIX System Administrator email: axel@axel.truedestiny.net ascheepers@vianetworks.nl http://axel.truedestiny.net/~axel ------------------------------------------ "What is the robbing of a bank compared to the FOUNDING of a bank?" -- Bertold Brecht ------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message