Date: Wed, 14 Nov 2001 12:49:32 -0800 From: Gregory Sutter <gsutter@zer0.org> To: John Baldwin <jhb@FreeBSD.org> Cc: Stefan Probst <stefan.probst@opticom.v-nam.net>, Rob Hurle <rob@coombs.anu.edu.au>, freebsd-security@FreeBSD.ORG Subject: Re: Adore worm Message-ID: <20011114124932.J35048@klapaucius.zer0.org> In-Reply-To: <XFMail.011113092233.jhb@FreeBSD.org> References: <5.1.0.14.2.20011114000437.02050a70@MailServer> <XFMail.011113092233.jhb@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--opg8F0UgoHELSI+9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2001-11-13 09:22 -0800, John Baldwin <jhb@FreeBSD.org> wrote: >=20 > It's a rootkit, and your box has been compromised. Backup your data and > reinstall unless someone else has a better idea. I'm not sure if this is a better idea, but it does allow remote cleanup. Tell me if I've missed anything. 1. Insert /etc/hosts.allow rules that only allow connections from your IP or subnet. 2. Change your password, and then change your root password. 3. pkg_delete cvsup # and any variants: cvsup-bin, etc. pkg_add -r cvsup 4. /stand/sysinstall, install a 'minimal' system from an FTP server (to get a clean 'make', 'cc', and libs) 5. Install a fresh OS: rm -rf /usr/src cvsup /usr/share/examples/cvsup/4.x-stable-supfile make buildworld make buildkernel make installkernel make installworld mergemaster 6. check /etc/rc.local for hacks, and chmod a-x /usr/local/etc/rc.d/* 7. Delete all your packages. cd /var/db/pkg; for i in `ls`; do echo $i >> /tmp/installed-packages; \ pkg_delete -f $i; done 8. reboot 9. log in WITH SSH 10. change your password again. change your root password again. 11. find / -perm +a+s > /tmp/setuid_files # then audit them. 12. go through the rest of your filesystem, all of it, to ensure that=20 no evil takeover scripts remain sitting anywhere. Check through 'cron' entries. 13. reinstall all your packages.=20 14. go play, but be safe! read freebsd-security and don't use unencrypted connections! Greg --=20 Gregory S. Sutter The process of scientific discovery mailto:gsutter@zer0.org is, in effect, a continual flight http://www.zer0.org/~gsutter/ from wonder. --Albert Einstein hkp://wwwkeys.pgp.net/0x845DFEDD --opg8F0UgoHELSI+9 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: '' iD8DBQE78tjcIBUx1YRd/t0RAjSuAJ9IsFtkLdoyWCFgdWVR/Oo16PfEGQCdE+fL Bp7VS4ptveIfPlaXgppK60Q= =IBBN -----END PGP SIGNATURE----- --opg8F0UgoHELSI+9-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011114124932.J35048>