From owner-freebsd-security Wed Nov 14 12:49:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail1.zer0.org (klapaucius.zer0.org [204.152.186.45]) by hub.freebsd.org (Postfix) with ESMTP id D235637B405; Wed, 14 Nov 2001 12:49:32 -0800 (PST) Received: by mail1.zer0.org (Postfix, from userid 1001) id B36F2239A05; Wed, 14 Nov 2001 12:49:32 -0800 (PST) Date: Wed, 14 Nov 2001 12:49:32 -0800 From: Gregory Sutter To: John Baldwin Cc: Stefan Probst , Rob Hurle , freebsd-security@FreeBSD.ORG Subject: Re: Adore worm Message-ID: <20011114124932.J35048@klapaucius.zer0.org> References: <5.1.0.14.2.20011114000437.02050a70@MailServer> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="opg8F0UgoHELSI+9" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.22.1i Organization: Zer0 X-Purpose: For great justice! Mail-Copies-To: poster Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --opg8F0UgoHELSI+9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2001-11-13 09:22 -0800, John Baldwin wrote: >=20 > It's a rootkit, and your box has been compromised. Backup your data and > reinstall unless someone else has a better idea. I'm not sure if this is a better idea, but it does allow remote cleanup. Tell me if I've missed anything. 1. Insert /etc/hosts.allow rules that only allow connections from your IP or subnet. 2. Change your password, and then change your root password. 3. pkg_delete cvsup # and any variants: cvsup-bin, etc. pkg_add -r cvsup 4. /stand/sysinstall, install a 'minimal' system from an FTP server (to get a clean 'make', 'cc', and libs) 5. Install a fresh OS: rm -rf /usr/src cvsup /usr/share/examples/cvsup/4.x-stable-supfile make buildworld make buildkernel make installkernel make installworld mergemaster 6. check /etc/rc.local for hacks, and chmod a-x /usr/local/etc/rc.d/* 7. Delete all your packages. cd /var/db/pkg; for i in `ls`; do echo $i >> /tmp/installed-packages; \ pkg_delete -f $i; done 8. reboot 9. log in WITH SSH 10. change your password again. change your root password again. 11. find / -perm +a+s > /tmp/setuid_files # then audit them. 12. go through the rest of your filesystem, all of it, to ensure that=20 no evil takeover scripts remain sitting anywhere. Check through 'cron' entries. 13. reinstall all your packages.=20 14. go play, but be safe! read freebsd-security and don't use unencrypted connections! Greg --=20 Gregory S. Sutter The process of scientific discovery mailto:gsutter@zer0.org is, in effect, a continual flight http://www.zer0.org/~gsutter/ from wonder. --Albert Einstein hkp://wwwkeys.pgp.net/0x845DFEDD --opg8F0UgoHELSI+9 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: '' iD8DBQE78tjcIBUx1YRd/t0RAjSuAJ9IsFtkLdoyWCFgdWVR/Oo16PfEGQCdE+fL Bp7VS4ptveIfPlaXgppK60Q= =IBBN -----END PGP SIGNATURE----- --opg8F0UgoHELSI+9-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message