From owner-freebsd-security@FreeBSD.ORG Fri May 21 13:10:35 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE35E16A4CE for ; Fri, 21 May 2004 13:10:35 -0700 (PDT) Received: from major.splatterworld.de (major.splatterworld.de [62.26.123.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 25E1D43D31 for ; Fri, 21 May 2004 13:10:35 -0700 (PDT) (envelope-from azze@bl0wf1sh.ath.cx) Received: (qmail 1282 invoked by uid 89); 21 May 2004 22:10:25 +0200 Received: from unknown (HELO blond) (195.143.12.42) by major.splatterworld.de with SMTP; 21 May 2004 22:10:25 +0200 Date: Fri, 21 May 2004 22:12:23 +0200 From: azze X-Mailer: The Bat! (v2.04.7) X-Priority: 3 (Normal) Message-ID: <1379674329.20040521221223@bl0wf1sh.ath.cx> To: yann.luppo@attglobal.net MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: Hacked or not ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: azze List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 May 2004 20:10:36 -0000 maybe you sould - grep the 4.9-STABLE sources of chfn,chsh,date,ls,ps build it and diff/md5 the builded stuff - ktrace(dump) the (current)ls, etc. with the (fresh) cvs version (rev for 4.9-S) - just reinstall the system :) R> Hi, R> I have a 4.9-STABLE FreeBSD box apparently hacked! R> Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs. R> Those are: R> chfn ... INFECTED R> chsh ... INFECTED R> date ... INFECTED R> ls ... INFECTED R> ps ... INFECTED R> But all the rest is NOT PROMISC, NOT INFECTED, NOTHING FOUND, NOTHING DELETED, or NOTHING DETECTED. R> I know by the FreeBSD-Security archives that chkrootkit isn't perfect with FreeBSD versions 5.x R> But I'm not in that case. So I'm a little bit afraid and as a newbie I don't really know what to do.... R> I tried "truss ls" to find something strange and here are the outputs with something... suspicious for me: R> ioctl(1,TIOCGETA,0xbfbff534) = 0 (0x0) R> ioctl(1,TIOCGWINSZ,0xbfbff5a8) = 0 (0x0) R> getuid() = 0 (0x0) R> readlink("etc/malloc.conf",0xbfbff490,63) ERR#2 'No such file or directory' #SUSPICIOUS R> mmap(0x0,4096,0x3,0x1002,-1,0x0) = 671666176 (0x2808d000) R> break(0x809b000) = 0 (0x0) R> break(0x809c000) = 0 (0x0) R> break(0x809d000) = 0 (0x0) R> break(0x809e000) = 0 (0x0) R> ...........................................................................................and so on! R> And if I am an intrusion victim.... what can I do ? How can I restore R> those files? and how can I find out how this cracker did to break my R> firewall? I mean where is the security hole? R> PS: After verification on other commands declared not infected I found R> out this ERR#2 is common.... maybe I have another problem here! R> Thanks everyone! R> razor. R> _______________________________________________ R> freebsd-security@freebsd.org mailing list R> http://lists.freebsd.org/mailman/listinfo/freebsd-security R> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"