From owner-freebsd-questions@FreeBSD.ORG Tue May 20 19:55:57 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 86AD137B401 for ; Tue, 20 May 2003 19:55:57 -0700 (PDT) Received: from sccrmhc01.attbi.com (sccrmhc01.attbi.com [204.127.202.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id A865443FAF for ; Tue, 20 May 2003 19:55:56 -0700 (PDT) (envelope-from freebsd-questions-local@be-well.no-ip.com) Received: from be-well.ilk.org (lowellg.ne.client2.attbi.com[24.147.188.198]) by attbi.com (sccrmhc01) with ESMTP id <20030521025555001003kkqre>; Wed, 21 May 2003 02:55:55 +0000 Received: from be-well.ilk.org (lowellg.ne.client2.attbi.com [24.147.188.198] (may be forged)) by be-well.ilk.org (8.12.9/8.12.7) with ESMTP id h4L2ttFb001747; Tue, 20 May 2003 22:55:55 -0400 (EDT) (envelope-from freebsd-questions-local@be-well.no-ip.com) Received: (from lowell@localhost) by be-well.ilk.org (8.12.9/8.12.6/Submit) id h4L2tsRh001744; Tue, 20 May 2003 22:55:54 -0400 (EDT) X-Authentication-Warning: be-well.ilk.org: lowell set sender to freebsd-questions-local@be-well.ilk.org using -f Sender: lowell@be-well.no-ip.com To: Guy Van Sanden References: <1053459934.2959.224.camel@cronos.home.vsb> From: Lowell Gilbert Date: 20 May 2003 22:55:54 -0400 In-Reply-To: <1053459934.2959.224.camel@cronos.home.vsb> Message-ID: <44wuglovnp.fsf@be-well.ilk.org> Lines: 36 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-questions@freebsd.org Subject: Re: HELP - Rootkit - add info X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 May 2003 02:55:57 -0000 Guy Van Sanden writes: > I forgot to mention some basic stuff (the idea that my box could be > hacked scares the living daylight out of me). > > I run FreeBSD 5.0-RELEASE (patches applied) > the md5sums of the files in question match those on knowngoods.org (of > course md5 could be hacked as well). > > Last does not report any strange connections, and I can't find anything > on my firewall that indicates this too. > > I ran aide (against an old database), and it doesn't report these files > as changed either (which also is inconclusive). > > I'm currently running clamscan on everything, but thats going to take a > while. > > Thanks for any help > > > -----Forwarded Message----- > > From: Guy Van Sanden > To: freebsd-questions@freebsd.org > Subject: HELP - Rootkit > Date: 20 May 2003 21:18:38 +0200 > > I found some strange files in /stand namely -sh and [ > This got me somewhat suspicious, so I installed chkrootkit. There are supposed to be files by those names. Also, chrootkit is known to give false positives on FreeBSD 5.x. This doesn't guarantee that you're uninfected, but so far everything you've described is the same as a clean install.