Date: Fri, 9 May 2003 16:21:54 +0200 From: Borja Marcos <borjamar@sarenet.es> To: Peter Elsner <peter@servplex.com> Cc: freebsd-security@freebsd.org Subject: Re: Hacked? Message-ID: <955A21A2-8229-11D7-B2CA-000393C94468@sarenet.es> In-Reply-To: <5.2.0.9.2.20030509090341.01796b58@mail.servplex.com>
index | next in thread | previous in thread | raw e-mail
On Friday, May 9, 2003, at 16:07 Europe/Madrid, Peter Elsner wrote:
> open("/dev/fd/.99/.ttyf00",0x0,0666) = 3 (0x3)
Look at this. This is a rootkit. What is this file? :-) Probably the
typical rootkit config file.
The "strings" command was good at this, but I have seen lately some
rootkits replacing the strings command. Truss seems to be safer, at
least for now.
> I'm not exactly sure what I'm looking at... Do you see anything out of
> the ordinary?
Yes, something like that :-)
If you "truss" commands like netstat, ps, etc, I am sure you will find
similar operations. Look for open system calls with weird filenames or
files in weird places, like above.
Borja.
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?955A21A2-8229-11D7-B2CA-000393C94468>