Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 13 Nov 2001 12:39:51 -0500 (EST)
From:      "Andrew R. Reiter" <arr@FreeBSD.org>
To:        Stefan Probst <stefan.probst@opticom.v-nam.net>
Cc:        freebsd-security@FreeBSD.org, Rob Hurle <rob@coombs.anu.edu.au>
Subject:   Re: Adore worm
Message-ID:  <Pine.NEB.3.96L.1011113123918.48186A-100000@fledge.watson.org>
In-Reply-To: <5.1.0.14.2.20011114000437.02050a70@MailServer>
index | next in thread | previous in thread | raw e-mail 


It's not a worm, unless it's part of a larger system, it is a backdoor.
I'd reinstall.

On Wed, 14 Nov 2001, Stefan Probst wrote:

:Good Evening,
:
:sorry for newbie-posting, but I don't have too much time to sift through 
:archives....
:
:Looks like my FreeBSD 4.2 Box (FreeBSD 4.2-RELEASE (GENERIC)) got hit by a 
:worm - or infested by purpose:
:
:I found a new directory /usr/lib/.fx/
:which contains all kind of stuff.
:One README file says:
:>%cat README
:>                  AdoreBSD 0.34 - Based off Linux Adore by Stealth
:>                       Copyright (c) 2001 bind@gravitino.net
:>
:>Developed on FreeBSD 4.3-STABLE
:>
:>Installation:
:>   # make; make load
:>
:>Features:
:>   * hide file or directory from view
:>   * make processes invisible
:>   * hide promiscuous flag and syslog messages
:>   * execute as root
:>   * hide sysctl mib entries
:>   * netstat service hiding
:>   * authentication
:>   * module hiding
:
:I can't use "ps" anymore ("cannot fork" or "segmentation fault - core dumped").
:"rc.conf" was modified and three lines with "/bin/xterm" added. I deleted 
:this "xterm" program, since it was also created/modified by the worm.
:"rc" itself shows the date of the infection, but I don't know, what was done.
:
:Anything known? Any ideas what to do? Looking forward to pointers....
:Rgds,
:Stefan
:
:
:To Unsubscribe: send mail to majordomo@FreeBSD.org
:with "unsubscribe freebsd-security" in the body of the message
:

--
Andrew R. Reiter
arr@watson.org
arr@FreeBSD.org


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1011113123918.48186A-100000>