Date: Wed, 1 Aug 2001 19:54:40 +0300 From: Peter Pentchev <roam@orbitel.bg> To: "Nickolay A.Kritsky" <nkritsky@internethelp.ru> Cc: Maximum <m-a-x-i-m-u-m@mail.ru>, freebsd-security@FreeBSD.ORG Subject: Re: Trojan injected in my Freebsd 4.1-RELEASE Message-ID: <20010801195440.B4274@ringworld.oblivion.bg> In-Reply-To: <172110747676.20010801195853@internethelp.ru>; from nkritsky@internethelp.ru on Wed, Aug 01, 2001 at 07:58:53PM %2B0400 References: <E15Rwv3-0000Ag-00@f4.mail.ru> <172110747676.20010801195853@internethelp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Aug 01, 2001 at 07:58:53PM +0400, Nickolay A.Kritsky wrote: > Hello Maximum, > > Wednesday, August 01, 2001, 6:24:17 PM, you wrote: > > > M> Hi everybody, > > M> today I've got security report from my FreeBSD box that some suid files changed. That was /usr/bin/netstat, /usr/bin/fstat and /usr/bin/quote. > > M> Using chkproc programm from Nelson Murilo found at pangeia.com.br I found one stealth process. Running clean ps command i found ssh daemon sshd daemon named 'swapper' in process list. This daemon > M> is attached to 50505 port. Also i found directory with other hacker's scripts and one of them contained full list of changed binaries > M> that was : ps,ls,netstat,fstat,ldconfig and telnetd > > Looks strange to me. The list of changed setuid binaries is not the > same,as in your security report. You should better check this out. This is normal, and easily explained: of the listed changed binaries, only netstat and fstat are setgid. None of the others is either setuid or setgid, so they wouldn't be listed in the security report. G'luck, Peter -- You have, of course, just begun reading the sentence that you have just finished reading. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010801195440.B4274>