From owner-freebsd-security Wed Nov 14 0:39: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from internethelp.ru (wh.internethelp.ru [212.113.112.145]) by hub.freebsd.org (Postfix) with ESMTP id 8F22037B405 for ; Wed, 14 Nov 2001 00:39:02 -0800 (PST) Received: from IBMKA (ibmka.internethelp.ru. [192.168.0.6]) by internethelp.ru (8.9.3/8.9.3) with ESMTP id LAA34622; Wed, 14 Nov 2001 11:38:51 +0300 (MSK) Date: Wed, 14 Nov 2001 11:38:06 +0300 From: "Nickolay A.Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A.Kritsky" X-Priority: 3 (Normal) Message-ID: <13049006858.20011114113806@internethelp.ru> To: Stefan Probst Cc: freebsd-security@FreeBSD.ORG Subject: Re[2]: Adore worm In-reply-To: <5.1.0.14.2.20011114091904.0425b660@MailServer> References: <5.1.0.14.2.20011114005803.0207ed70@MailServer> <5.1.0.14.2.20011114091904.0425b660@MailServer> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Stefan, Wednesday, November 14, 2001, 5:38:00 AM, you wrote: SP> Dear All, SP> thanks so far for good advices. SP> On my site, there is a webmail form, which is VERY rarely used. About 20 SP> minutes before the hijack, there were three mails coming from that form, SP> where the sender gave addresses etc. in Romania... SP> Status update here: SP> I am right now in the background using an FTP client to backup the whole SP> directory structure, so that I can later browse faster and check SP> modification dates etc. Will still take some time until that is finished SP> over the slow line here. SP> The only "good" thing: I have access to another FreeBSD 4.2 server, which SP> has got patched. Problem is only, that this is a custom build (virtual SP> hosting), so I am not too sure. AFAIK with CVS you can build binary for quite any version of FreeBSD. But I can be wrong here. Any comments are very good. SP> And for the time being, I assume, that the intruder "just" installed the SW SP> and didn't do more. Means: I will try to find out what happened, and if SP> possible restore without going through a re-install. This is dangerous assume. Be very careful and do not rely on this. SP> My questions: SP> 1. Any problem, if I download "ps" and the patched "telnetd" from the good SP> site and just replace on the corrupted site? you shoud just try. download them with different names (let's say new_ps and new_telnetd) and try to run them. For new_ps just type `chmod 700 /path/to/new/ps/new_ps && /path/to/new/ps/new_ps' in shell prompt. For new_telnetd add following line to /etc/inetd.conf: 55555 stream tcp nowait root /path/to/new/telnetd/new_telnetd new_telnetd and do "kill -1 `cat /var/run/inetd.pid`". After that try to telnet localhost at port 55555 and `tail' the logs for errors. SP> 2. I tried to patch as written in SA-01:49, but the directory /usr/src/ is SP> empty, and when I run the "patch -p ..." command, I get: >>Hmm... Looks like a unified diff to me... >>The text leading up to this was: >>-------------------------- >>|Index: libexec/telnetd/ext.h >>|=================================================================== >>|RCS file: /home/ncvs/src/libexec/telnetd/ext.h,v >>|retrieving revision 1.8 >>|retrieving revision 1.10 >>|diff -u -r1.8 -r1.10 >>|--- libexec/telnetd/ext.h 2000/11/19 10:01:27 1.8 >>|+++ libexec/telnetd/ext.h 2001/07/23 22:00:51 1.10 >>-------------------------- >>File to patch: SP> What should I enter here??? SP> The documentation says nothing. If your /usr/src directory is empty you cannot apply this patch. SP> TIA, SP> Stefan ;------------------------------------------- ; NKritsky ; SysAdmin InternetHelp.Ru ; http://www.internethelp.ru ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message