Date: Wed, 14 Nov 2001 18:56:06 +0700 From: Stefan Probst <stefan.probst@opticom.v-nam.net> To: freebsd-security@FreeBSD.ORG Cc: Rob Hurle <rob@coombs.anu.edu.au> Subject: Re: AdoreWorm Message-ID: <5.1.0.14.2.20011114183520.01e71d20@MailServer>
next in thread | raw e-mail | index | archive | help
Hi, some hours later, lots of grey hair more, but feeling more safe now.... As it looks now, somebody in Romania used most probably the telnetd hole (because there were no other unused services running, and it would be hard to believe, that somebody on a dial-up line in Romania can sniff telnet passwords, which usually go from Vietnam via Hongkong to the EastCost) and got somehow root access. They installed then this AdoreBSD. Luckily, as it looks right now (I might be wrong), they didn't do anything else - at least nothing major. They furthermore installed from http://www.psychoid.lam3rz.de the psyBNC, which is obviously kind of an "special" IRC relay ??? This psyBNC left a logfile, and I have their ISP now: warpnet.ro, including some IP numbers, which they used. Not sure, what I should do with that. This psyBNC is installed in a directory, with a single space as the name: /root/ /bsd.tgz /root/ /bsd/scan-a /root/ /bsd/telnet /root/ /bsd/statdx2.tgz /root/ /bsd/statdx2/luckgo /root/ /bsd/statdx2/luckscan-a /root/ /bsd/statdx2/luckstatdx /root/ /bsd/statdx2/wu /root/ /psybnc/ Status as of now: - I deleted /bin/xterm (since I saw that entry in rc.conf) - I replaced ps with a version, which I downloaded from another server Luckily, that worked, and I could see the processes again. - I killed all ./cons.saver processes - I killed all /bin/xterm processes - I killed all ./psybnc processes - To apply the patch as written on the FreeBSD site, didn't work, because my /usr/src/ directory was empty. - I tried ssh (which is ok now) to make sure, that I am not locked out, in case I crash telnetd. - I replaced telnetd with a patched version which I downloaded from the other server. Still can log on. - I restarted inetd successfully. - I renamed .fx/cons.saver to be sure, that this is not restarted again - I changed the root password (not sure, whether this was necessary) - I replaced rc (I am really lucky, that this is one of the few files, which I (nosy) downloaded some time ago, so I have a clean copy here) and rc.conf - I renamed that /root/ / to something different - to be sure, that the files in there cannot be started by an unknown process again. Outstanding - find more remains. - the /var/log/... files are still not written, i.e. size still "0". ??? Open Questions: - I know, that * ps, telnetd have been replaced * /var/log/messages has been renamed to "menssages" * rc, rc.conf have been edited * processes were started: cons.saver, xterm, psybnc What more happened / needs to be re-installed/deleted/killed...? - there is a short file "/etc/syslog.conf.lock" what is this? Delete it? Thanks to everybody, Stefan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.2.20011114183520.01e71d20>