Date: Wed, 14 Nov 2001 12:49:32 -0800 From: Gregory Sutter <gsutter@zer0.org> To: John Baldwin <jhb@FreeBSD.org> Cc: Stefan Probst <stefan.probst@opticom.v-nam.net>, Rob Hurle <rob@coombs.anu.edu.au>, freebsd-security@FreeBSD.ORG Subject: Re: Adore worm Message-ID: <20011114124932.J35048@klapaucius.zer0.org> In-Reply-To: <XFMail.011113092233.jhb@FreeBSD.org> References: <5.1.0.14.2.20011114000437.02050a70@MailServer> <XFMail.011113092233.jhb@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--opg8F0UgoHELSI+9
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On 2001-11-13 09:22 -0800, John Baldwin <jhb@FreeBSD.org> wrote:
>=20
> It's a rootkit, and your box has been compromised. Backup your data and
> reinstall unless someone else has a better idea.
I'm not sure if this is a better idea, but it does allow remote
cleanup. Tell me if I've missed anything.
1. Insert /etc/hosts.allow rules that only allow connections from
your IP or subnet.
2. Change your password, and then change your root password.
3. pkg_delete cvsup # and any variants: cvsup-bin, etc.
pkg_add -r cvsup
4. /stand/sysinstall, install a 'minimal' system from an FTP server
(to get a clean 'make', 'cc', and libs)
5. Install a fresh OS:
rm -rf /usr/src
cvsup /usr/share/examples/cvsup/4.x-stable-supfile
make buildworld
make buildkernel
make installkernel
make installworld
mergemaster
6. check /etc/rc.local for hacks, and
chmod a-x /usr/local/etc/rc.d/*
7. Delete all your packages.
cd /var/db/pkg; for i in `ls`; do echo $i >> /tmp/installed-packages; \
pkg_delete -f $i; done
8. reboot
9. log in WITH SSH
10. change your password again.
change your root password again.
11. find / -perm +a+s > /tmp/setuid_files # then audit them.
12. go through the rest of your filesystem, all of it, to ensure that=20
no evil takeover scripts remain sitting anywhere. Check through
'cron' entries.
13. reinstall all your packages.=20
14. go play, but be safe! read freebsd-security and don't use unencrypted
connections!
Greg
--=20
Gregory S. Sutter The process of scientific discovery
mailto:gsutter@zer0.org is, in effect, a continual flight
http://www.zer0.org/~gsutter/ from wonder. --Albert Einstein
hkp://wwwkeys.pgp.net/0x845DFEDD
--opg8F0UgoHELSI+9
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Comment: ''
iD8DBQE78tjcIBUx1YRd/t0RAjSuAJ9IsFtkLdoyWCFgdWVR/Oo16PfEGQCdE+fL
Bp7VS4ptveIfPlaXgppK60Q=
=IBBN
-----END PGP SIGNATURE-----
--opg8F0UgoHELSI+9--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011114124932.J35048>