From owner-freebsd-security Tue Nov 13 10: 8:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp.netnam.vn (smtp.netnam.vn [203.162.7.93]) by hub.freebsd.org (Postfix) with ESMTP id D930C37B419; Tue, 13 Nov 2001 10:08:28 -0800 (PST) Received: from mailserver ([10.9.4.34]) by smtp.netnam.vn (8.10.2/8.10.2) with ESMTP id fADI8Nm19124; Wed, 14 Nov 2001 01:08:24 +0700 (GMT) Received: from 192.168.0.29 by mailserver ([192.168.0.2] running VPOP3) with ESMTP; Wed, 14 Nov 2001 01:06:02 +0700 Message-Id: <5.1.0.14.2.20011114005803.0207ed70@MailServer> X-Sender: stefan.probst@MailServer X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 14 Nov 2001 01:01:27 +0700 To: Axel Scheepers , John Baldwin From: Stefan Probst Subject: Re: Adore worm Cc: Rob Hurle , freebsd-security@FreeBSD.org In-Reply-To: <20011113185452.B19098@mars.thuis> References: <5.1.0.14.2.20011114000437.02050a70@MailServer> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Server: VPOP3 V1.4.6 - Registered Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thanks everybody for "encouraging" answers so far. I am in Vietnam, and the box is a dedicated server in the US :( There was nearly nothing installed, when I got it about two months ago, and I installed several packages - all of them downloaded from the original sites, in order to be sure to get the latest version. Will go to bed now and pray..... I still can telnet to the box. Maybe somebody finds an idea what to do... Will see at my eMail tomorrow. Good Night! Stefan At 18:54 13.11.2001 +0100, Axel Scheepers wrote: ------------------------- >Hi, >Best thing to do is to 'pull the plug' immediately (your net connection). >Backup up the machine for later inspection, then reinstall fBSD and if >you got a seprate data backup put that back. >Then you might put the previous made backup on a clean machine for inspection. >Usual vulnerable things like telnet, ftp etc. is a good place to start looking >for in your logs. (In case you didn't block them) >Gr, >Axel > >On Tue, Nov 13, 2001 at 09:22:33AM -0800, John Baldwin wrote: > > X-Mailer: XFMail 1.4.0 on FreeBSD > > Date: Tue, 13 Nov 2001 09:22:33 -0800 (PST) > > From: John Baldwin > > To: Stefan Probst > > Subject: RE: Adore worm > > Cc: Rob Hurle , freebsd-security@FreeBSD.ORG > > > > > > On 13-Nov-01 Stefan Probst wrote: > > > Good Evening, > > > > > > sorry for newbie-posting, but I don't have too much time to sift through > > > archives.... > > > > > > Looks like my FreeBSD 4.2 Box (FreeBSD 4.2-RELEASE (GENERIC)) got hit > by a > > > worm - or infested by purpose: > > > > It's a rootkit, and your box has been compromised. Backup your data and > > reinstall unless someone else has a better idea. > > > > -- > > > > John Baldwin -- http://www.FreeBSD.org/~jhb/ > > "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > >-- >Axel Scheepers >UNIX System Administrator > >email: axel@axel.truedestiny.net > ascheepers@vianetworks.nl >http://axel.truedestiny.net/~axel >------------------------------------------ >"I can't complain, but sometimes I still do." > -- Joe Walsh >------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message