From owner-freebsd-security@FreeBSD.ORG Fri May 21 12:52:50 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3ED9B16A4CE for ; Fri, 21 May 2004 12:52:50 -0700 (PDT) Received: from prserv.net (asmtp1.prserv.net [32.97.166.51]) by mx1.FreeBSD.org (Postfix) with ESMTP id A805143D39 for ; Fri, 21 May 2004 12:52:49 -0700 (PDT) (envelope-from yann.luppo@attglobal.net) Received: from razor (130.wf21.bltm.wswdc01r18.dsl.att.net[12.103.21.130]) by prserv.net (asmtp1) with SMTP id <2004052119513825103jg6pme> (Authid: yann.luppo@attglobal.net); Fri, 21 May 2004 19:51:38 +0000 Message-ID: <021f01c43f3a$e7eb7f40$0f01a8c0@razor> From: "RazorOnFreeBSD" To: Date: Fri, 21 May 2004 15:52:45 +0200 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Hacked or not ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 May 2004 19:52:50 -0000 Hi,=20 I have a 4.9-STABLE FreeBSD box apparently hacked! Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs.=20 Those are: chfn ... INFECTED chsh ... INFECTED date ... INFECTED ls ... INFECTED ps ... INFECTED But all the rest is NOT PROMISC, NOT INFECTED, NOTHING FOUND, NOTHING = DELETED, or NOTHING DETECTED. I know by the FreeBSD-Security archives that chkrootkit isn't perfect = with FreeBSD versions 5.x But I'm not in that case. So I'm a little bit afraid and as a newbie I = don't really know what to do.... I tried "truss ls" to find something strange and here are the outputs = with something... suspicious for me: ioctl(1,TIOCGETA,0xbfbff534) =3D 0 (0x0) ioctl(1,TIOCGWINSZ,0xbfbff5a8) =3D 0 (0x0) getuid() =3D 0 = (0x0) readlink("etc/malloc.conf",0xbfbff490,63) ERR#2 'No such file or = directory' #SUSPICIOUS mmap(0x0,4096,0x3,0x1002,-1,0x0) =3D 671666176 (0x2808d000) break(0x809b000) =3D 0 (0x0) break(0x809c000) =3D 0 (0x0) break(0x809d000) =3D 0 (0x0) break(0x809e000) =3D 0 (0x0) .........................................................................= ..................and so on! And if I am an intrusion victim.... what can I do ? How can I restore = those files? and how can I find out how this cracker did to break my = firewall? I mean where is the security hole? PS: After verification on other commands declared not infected I found = out this ERR#2 is common.... maybe I have another problem here! Thanks everyone! razor.