From owner-freebsd-security@FreeBSD.ORG Fri May 9 10:22:30 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DFBB237B401 for ; Fri, 9 May 2003 10:22:30 -0700 (PDT) Received: from PIKES.panasas.com (gw2.panasas.com [65.194.124.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id DB89343F85 for ; Fri, 9 May 2003 10:22:29 -0700 (PDT) (envelope-from behanna@zbzoom.net) Received: from waumbek.panasas.com ([172.17.2.36]) by PIKES.panasas.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id 2AZL3NVN; Fri, 9 May 2003 13:22:29 -0400 From: Chris BeHanna Organization: Western Pennsylvania Pizza Disposal Unit To: security@freebsd.org Date: Fri, 9 May 2003 13:22:28 -0400 User-Agent: KMail/1.5.1 References: <5.2.0.9.2.20030509090341.01796b58@mail.servplex.com> <5.2.0.9.2.20030509104258.017c6b50@mail.servplex.com> In-Reply-To: <5.2.0.9.2.20030509104258.017c6b50@mail.servplex.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200305091322.28708.behanna@zbzoom.net> Subject: Re: Hacked? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: behanna@zbzoom.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 May 2003 17:22:31 -0000 On Friday 09 May 2003 11:45, Peter Elsner wrote: > here's what's in /dev/fd/.99 > > # cd /dev/fd/.99 > # ll > -rw-r--r-- 1 root wheel 70 May 2 18:05 .ttyf00 > > The contents of that file are: > > # more .ttyf00 > .99 > .ttyf00 > .ttyp00 > in.inetd > sshd > /sbin/sshd > /usr/sbin/in.inetd > .fx > > I have already restored my ls and now my dates are back to normal... I > have also restored netstat. > > I am now going to do a complete re-install of all binaries... *AFTER* you boot from CD-ROM and newfs every partition on the disk, right? That is the *only* way you can be sure you've removed all of the noisome pieces of the rootkit. -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net Turning coffee into software since 1990.