Date: Sat, 10 May 2003 21:16:18 EAST From: Adam Dewis <apdewis@postoffice.utas.edu.au> To: freebsd-security@freebsd.org Subject: Re: Hacked? Message-ID: <200305101116.h4ABGMH21903@boyes.its.utas.edu.au>
next in thread | raw e-mail | index | archive | help
On Fri, 09 May 2003 10:45:20 -0500 Peter Elsner wrote: > here's what's in /dev/fd/.99 > > # cd /dev/fd/.99 > # ll > -rw-r--r-- 1 root wheel 70 May 2 18:05 .ttyf00 > > The contents of that file are: > > # more .ttyf00 > .99 > .ttyf00 > .ttyp00 > in.inetd > sshd > /sbin/sshd > /usr/sbin/in.inetd > .fx > > I have already restored my ls and now my dates are back to normal... I > have also restored netstat. > > I am now going to do a complete re-install of all binaries... > > Before I do, let me know if there's anything else you need... > > Peter > Doing a complete reeinstall is all good and well, but Installing a rootkit means that the cracker used a hole to gain the required permissions to do so. Whcih in praticality means that you will need to patch the hole as well, unfortunatly I cannot offer any advice on finding the hole, but mayhaps some other security guru on this list may be able to steer you in the right direction? Adam
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200305101116.h4ABGMH21903>