Date: Tue, 13 Nov 2001 11:03:01 -0700 From: "Don Sutter" <drs@suntreeaz.com> To: "Stefan Probst" <stefan.probst@opticom.v-nam.net> Cc: <freebsd-security@freebsd.org> Subject: Re: Adore worm Message-ID: <005a01c16c6d$6f2ade40$13fea8c0@drs> References: <5.1.0.14.2.20011114000437.02050a70@MailServer>
next in thread | previous in thread | raw e-mail | index | archive | help
Has anyone tried looking at: http://www.sophos.com/virusinfo/analyses/linuxadore.html? ----- Original Message ----- From: "Stefan Probst" <stefan.probst@opticom.v-nam.net> To: <freebsd-security@FreeBSD.ORG> Cc: "Rob Hurle" <rob@coombs.anu.edu.au> Sent: Tuesday, November 13, 2001 10:13 AM Subject: Adore worm > Good Evening, > > sorry for newbie-posting, but I don't have too much time to sift through > archives.... > > Looks like my FreeBSD 4.2 Box (FreeBSD 4.2-RELEASE (GENERIC)) got hit by a > worm - or infested by purpose: > > I found a new directory /usr/lib/.fx/ > which contains all kind of stuff. > One README file says: > >%cat README > > AdoreBSD 0.34 - Based off Linux Adore by Stealth > > Copyright (c) 2001 bind@gravitino.net > > > >Developed on FreeBSD 4.3-STABLE > > > >Installation: > > # make; make load > > > >Features: > > * hide file or directory from view > > * make processes invisible > > * hide promiscuous flag and syslog messages > > * execute as root > > * hide sysctl mib entries > > * netstat service hiding > > * authentication > > * module hiding > > I can't use "ps" anymore ("cannot fork" or "segmentation fault - core dumped"). > "rc.conf" was modified and three lines with "/bin/xterm" added. I deleted > this "xterm" program, since it was also created/modified by the worm. > "rc" itself shows the date of the infection, but I don't know, what was done. > > Anything known? Any ideas what to do? Looking forward to pointers.... > Rgds, > Stefan > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?005a01c16c6d$6f2ade40$13fea8c0>