From owner-freebsd-security@FreeBSD.ORG  Sat May 10 04:16:28 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 638AF37B401
	for <freebsd-security@freebsd.org>;
	Sat, 10 May 2003 04:16:28 -0700 (PDT)
Received: from boyes.its.utas.edu.au (boyes.its.utas.edu.au [144.6.1.7])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C5B7A43FDF
	for <freebsd-security@freebsd.org>;
	Sat, 10 May 2003 04:16:25 -0700 (PDT)
	(envelope-from apdewis@postoffice.utas.edu.au)
Received: from boyes.its.utas.edu.au (localhost [127.0.0.1])
	h4ABGMH21903	for <freebsd-security@freebsd.org>;
	Sat, 10 May 2003 21:16:22 +1000 (EST)
Message-Id: <200305101116.h4ABGMH21903@boyes.its.utas.edu.au>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
To: freebsd-security@freebsd.org
From: Adam Dewis <apdewis@postoffice.utas.edu.au>
Organization: University of Tasmania
X-Originating-Ip: 144.137.28.205
MIME-Version: 1.0
Date: Sat, 10 May 2003 21:16:18 EAST
X-Mailer: EMUmail 5.1
X-Http_host: postoffice.newnham.utas.edu.au
X-Webmail-User: apdewis@postoffice.newnham.utas.edu.au
Subject: Re: Hacked?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Adam Dewis <apdewis@postoffice.utas.edu.au>
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 10 May 2003 11:16:28 -0000

On Fri, 09 May 2003 10:45:20 -0500 Peter Elsner wrote:

> here's what's in /dev/fd/.99
> 
> # cd /dev/fd/.99
> # ll
> -rw-r--r--  1 root  wheel  70 May  2 18:05 .ttyf00
> 
> The contents of that file are:
> 
> # more .ttyf00
> .99
> .ttyf00
> .ttyp00
> in.inetd
> sshd
> /sbin/sshd
> /usr/sbin/in.inetd
> .fx
> 
> I have already restored my ls and now my dates are back to normal...  I 
> have also restored netstat.
> 
> I am now going to do a complete re-install of all binaries...
> 
> Before I do, let me know if there's anything else you need...
> 
> Peter
> 


Doing a complete reeinstall is all good and well, but Installing a
rootkit means that the cracker used a hole to gain the required
permissions to do so. Whcih in praticality means that you will need to
patch the hole as well, unfortunatly I cannot offer  any advice on
finding the hole, but mayhaps some other security guru on this list may
be able to steer you in the right direction?

Adam