Date: Wed, 14 Nov 2001 12:52:45 -0800 (PST) From: John Baldwin <jhb@FreeBSD.org> To: Gregory Sutter <gsutter@zer0.org> Cc: freebsd-security@FreeBSD.ORG, Rob Hurle <rob@coombs.anu.edu.au>, Stefan Probst <stefan.probst@opticom.v-nam.net> Subject: Re: Adore worm Message-ID: <XFMail.011114125245.jhb@FreeBSD.org> In-Reply-To: <20011114124932.J35048@klapaucius.zer0.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 14-Nov-01 Gregory Sutter wrote: > On 2001-11-13 09:22 -0800, John Baldwin <jhb@FreeBSD.org> wrote: >> >> It's a rootkit, and your box has been compromised. Backup your data and >> reinstall unless someone else has a better idea. > > I'm not sure if this is a better idea, but it does allow remote > cleanup. Tell me if I've missed anything. > > 1. Insert /etc/hosts.allow rules that only allow connections from > your IP or subnet. > > 2. Change your password, and then change your root password. > > 3. pkg_delete cvsup # and any variants: cvsup-bin, etc. > pkg_add -r cvsup > > 4. /stand/sysinstall, install a 'minimal' system from an FTP server > (to get a clean 'make', 'cc', and libs) This also will clean out /etc, so you might want to back up certain bits of etc that you restore later, like the password and group files and rc.conf. -- John Baldwin <jhb@FreeBSD.org> <>< http://www.FreeBSD.org/~jhb/ "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.011114125245.jhb>