Date: Fri, 9 May 2003 11:50:19 -0400 From: "Timothy R. Geier" <tgeier@acsmail.com> To: Peter Elsner <peter@servplex.com> Cc: freebsd-security@freebsd.org Subject: Re: Hacked? Message-ID: <200305091150.30237.tgeier@acsmail.com> In-Reply-To: <955A21A2-8229-11D7-B2CA-000393C94468@sarenet.es> References: <955A21A2-8229-11D7-B2CA-000393C94468@sarenet.es>
next in thread | previous in thread | raw e-mail | index | archive | help
--Boundary-02=_G58u+bZCGK47jWt Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Friday 09 May 2003 10:21, Borja Marcos wrote: > On Friday, May 9, 2003, at 16:07 Europe/Madrid, Peter Elsner wrote: > > open("/dev/fd/.99/.ttyf00",0x0,0666) =3D 3 (0x3) > > Look at this. This is a rootkit. What is this file? :-) Probably the > typical rootkit config file. > > The "strings" command was good at this, but I have seen lately some > rootkits replacing the strings command. Truss seems to be safer, at > least for now. > > > I'm not exactly sure what I'm looking at... Do you see anything out of > > the ordinary? > > Yes, something like that :-) > > If you "truss" commands like netstat, ps, etc, I am sure you will find > similar operations. Look for open system calls with weird filenames or > files in weird places, like above. > > > > > Borja. > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" To add a few more thoughts to this, the most likely places for rootkit=20 configurations and possibly executables are hidden directories under /tmp,= =20 /dev/, and /var/tmp. Of course, these are not the only possible places, bu= t=20 they are the most popular. =20 Also, the use of nmap or another port scanner from a remote machine can=20 discover if the rootkit has left any backdoor ports open. Since you've=20 restored netstat, though, "netstat -l" should work just as well. After=20 determining if there are any backdoors, I would recommend removing the=20 compromised machine from any network(s) it is on and then performing a=20 detailed analysis, restoration, and hardening. An article on this process= =20 can be found at http://www.securityfocus.com/infocus/1692. =2D-=20 Timothy R. Geier, Systems Administrator Advanced Communications Systems tgeier@acsmail.com --Boundary-02=_G58u+bZCGK47jWt Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQA+u85FBkUJ7Q/wZqgRAqF+AKCLoPvI7rKzEqtI5+44Y+USfjKbTACfXkYF Kp7/k5nf80vu+3TQilK39/A= =Ytfy -----END PGP SIGNATURE----- --Boundary-02=_G58u+bZCGK47jWt--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200305091150.30237.tgeier>