Date: Fri, 21 May 2004 15:52:45 +0200 From: "RazorOnFreeBSD" <yann.luppo@attglobal.net> To: <freebsd-security@freebsd.org> Subject: Hacked or not ? Message-ID: <021f01c43f3a$e7eb7f40$0f01a8c0@razor>
next in thread | raw e-mail | index | archive | help
Hi,=20
I have a 4.9-STABLE FreeBSD box apparently hacked!
Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs.=20
Those are:
chfn ... INFECTED
chsh ... INFECTED
date ... INFECTED
ls ... INFECTED
ps ... INFECTED
But all the rest is NOT PROMISC, NOT INFECTED, NOTHING FOUND, NOTHING =
DELETED, or NOTHING DETECTED.
I know by the FreeBSD-Security archives that chkrootkit isn't perfect =
with FreeBSD versions 5.x
But I'm not in that case. So I'm a little bit afraid and as a newbie I =
don't really know what to do....
I tried "truss ls" to find something strange and here are the outputs =
with something... suspicious for me:
ioctl(1,TIOCGETA,0xbfbff534) =3D 0 (0x0)
ioctl(1,TIOCGWINSZ,0xbfbff5a8) =3D 0 (0x0)
getuid() =3D 0 =
(0x0)
readlink("etc/malloc.conf",0xbfbff490,63) ERR#2 'No such file or =
directory' #SUSPICIOUS
mmap(0x0,4096,0x3,0x1002,-1,0x0) =3D 671666176 (0x2808d000)
break(0x809b000) =3D 0 (0x0)
break(0x809c000) =3D 0 (0x0)
break(0x809d000) =3D 0 (0x0)
break(0x809e000) =3D 0 (0x0)
.........................................................................=
..................and so on!
And if I am an intrusion victim.... what can I do ? How can I restore =
those files? and how can I find out how this cracker did to break my =
firewall? I mean where is the security hole?
PS: After verification on other commands declared not infected I found =
out this ERR#2 is common.... maybe I have another problem here!
Thanks everyone!
razor.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?021f01c43f3a$e7eb7f40$0f01a8c0>