From owner-freebsd-security  Tue Nov 13  9:17:43 2001
Delivered-To: freebsd-security@freebsd.org
Received: from smtp.netnam.vn (smtp.netnam.vn [203.162.7.93])
	by hub.freebsd.org (Postfix) with ESMTP id 511AA37B416
	for <freebsd-security@FreeBSD.ORG>; Tue, 13 Nov 2001 09:17:39 -0800 (PST)
Received: from mailserver ([10.9.4.34])
	by smtp.netnam.vn (8.10.2/8.10.2) with ESMTP id fADHIfm18724;
	Wed, 14 Nov 2001 00:18:41 +0700 (GMT)
Received: from 192.168.0.29 by mailserver ([192.168.0.2] running VPOP3) with ESMTP; Wed, 14 Nov 2001 00:16:47 +0700
Message-Id: <5.1.0.14.2.20011114000437.02050a70@MailServer>
X-Sender: stefan.probst@MailServer
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Wed, 14 Nov 2001 00:13:21 +0700
To: freebsd-security@FreeBSD.ORG
From: Stefan Probst <stefan.probst@opticom.v-nam.net>
Subject: Adore worm
Cc: Rob Hurle <rob@coombs.anu.edu.au>
In-Reply-To: <20011113170655.A9FE737B416@hub.freebsd.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-Server: VPOP3 V1.4.6 - Registered
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Good Evening,

sorry for newbie-posting, but I don't have too much time to sift through 
archives....

Looks like my FreeBSD 4.2 Box (FreeBSD 4.2-RELEASE (GENERIC)) got hit by a 
worm - or infested by purpose:

I found a new directory /usr/lib/.fx/
which contains all kind of stuff.
One README file says:
>%cat README
>                  AdoreBSD 0.34 - Based off Linux Adore by Stealth
>                       Copyright (c) 2001 bind@gravitino.net
>
>Developed on FreeBSD 4.3-STABLE
>
>Installation:
>   # make; make load
>
>Features:
>   * hide file or directory from view
>   * make processes invisible
>   * hide promiscuous flag and syslog messages
>   * execute as root
>   * hide sysctl mib entries
>   * netstat service hiding
>   * authentication
>   * module hiding

I can't use "ps" anymore ("cannot fork" or "segmentation fault - core dumped").
"rc.conf" was modified and three lines with "/bin/xterm" added. I deleted 
this "xterm" program, since it was also created/modified by the worm.
"rc" itself shows the date of the infection, but I don't know, what was done.

Anything known? Any ideas what to do? Looking forward to pointers....
Rgds,
Stefan


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message