From owner-freebsd-security Tue Nov 13 18:39:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp.netnam.vn (smtp.netnam.vn [203.162.7.93]) by hub.freebsd.org (Postfix) with ESMTP id E991737B405 for ; Tue, 13 Nov 2001 18:39:34 -0800 (PST) Received: from mailserver ([10.9.4.34]) by smtp.netnam.vn (8.10.2/8.10.2) with ESMTP id fAE2eVm25591; Wed, 14 Nov 2001 09:40:32 +0700 (GMT) Received: from 192.168.0.29 by mailserver ([192.168.0.2] running VPOP3) with ESMTP; Wed, 14 Nov 2001 09:38:19 +0700 Message-Id: <5.1.0.14.2.20011114091904.0425b660@MailServer> X-Sender: stefan.probst@MailServer X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 14 Nov 2001 09:38:00 +0700 To: freebsd-security@FreeBSD.ORG From: Stefan Probst Subject: Re: Adore worm Cc: Rob Hurle In-Reply-To: References: <5.1.0.14.2.20011114005803.0207ed70@MailServer> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Server: VPOP3 V1.4.6 - Registered Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dear All, thanks so far for good advices. On my site, there is a webmail form, which is VERY rarely used. About 20 minutes before the hijack, there were three mails coming from that form, where the sender gave addresses etc. in Romania... Status update here: I am right now in the background using an FTP client to backup the whole directory structure, so that I can later browse faster and check modification dates etc. Will still take some time until that is finished over the slow line here. The only "good" thing: I have access to another FreeBSD 4.2 server, which has got patched. Problem is only, that this is a custom build (virtual hosting), so I am not too sure. And for the time being, I assume, that the intruder "just" installed the SW and didn't do more. Means: I will try to find out what happened, and if possible restore without going through a re-install. My questions: 1. Any problem, if I download "ps" and the patched "telnetd" from the good site and just replace on the corrupted site? 2. I tried to patch as written in SA-01:49, but the directory /usr/src/ is empty, and when I run the "patch -p ..." command, I get: >Hmm... Looks like a unified diff to me... >The text leading up to this was: >-------------------------- >|Index: libexec/telnetd/ext.h >|=================================================================== >|RCS file: /home/ncvs/src/libexec/telnetd/ext.h,v >|retrieving revision 1.8 >|retrieving revision 1.10 >|diff -u -r1.8 -r1.10 >|--- libexec/telnetd/ext.h 2000/11/19 10:01:27 1.8 >|+++ libexec/telnetd/ext.h 2001/07/23 22:00:51 1.10 >-------------------------- >File to patch: What should I enter here??? The documentation says nothing. TIA, Stefan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message