From owner-freebsd-security  Wed Aug  1  7:24:58 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mx5.port.ru (mx5.port.ru [194.67.57.15])
	by hub.freebsd.org (Postfix) with ESMTP id A38B537B403
	for <freebsd-security@freebsd.org>; Wed,  1 Aug 2001 07:24:45 -0700 (PDT)
	(envelope-from m-a-x-i-m-u-m@mail.ru)
Received: from f4.int ([10.0.0.51] helo=f4.mail.ru)
	by mx5.port.ru with esmtp (Exim 3.14 #1)
	id 15RwvG-000K0p-00
	for freebsd-security@freebsd.org; Wed, 01 Aug 2001 18:24:30 +0400
Received: from mail by f4.mail.ru with local (Exim 3.14 #1)
	id 15Rwv3-0000Ag-00
	for freebsd-security@freebsd.org; Wed, 01 Aug 2001 18:24:17 +0400
Received: from [195.201.78.235] by win.mail.port.ru with HTTP;
	Wed, 01 Aug 2001 14:24:17 +0000 (GMT)
From: "Maximum" <m-a-x-i-m-u-m@mail.ru>
To: freebsd-security@freebsd.org
Subject: Trojan injected in my Freebsd 4.1-RELEASE
Mime-Version: 1.0
X-Mailer: mPOP Web-Mail 2.19
X-Originating-IP: [195.201.78.235]
Reply-To: "Maximum" <m-a-x-i-m-u-m@mail.ru>
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 8bit
Message-Id: <E15Rwv3-0000Ag-00@f4.mail.ru>
Date: Wed, 01 Aug 2001 18:24:17 +0400
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


 Hi everybody,

today I've got security report from my FreeBSD box that some suid files changed. That was /usr/bin/netstat, /usr/bin/fstat and /usr/bin/quote.

Using chkproc programm from Nelson Murilo found at pangeia.com.br I found one stealth process. Running clean ps command i found ssh daemon sshd daemon named 'swapper' in process list. This daemon is attached to 50505 port. Also i found directory with other hacker's scripts and one of them contained full list of changed binaries
that was : ps,ls,netstat,fstat,ldconfig and telnetd

Examining logs I had not found any records about visit of hacker. Wtmp was cleared 5 hours back from time of created hackers scripts.

I'm going not only remove this trojan from my box, but find from where attack was made and the way attack was made.

Now I wrote small script that will run clean netstat and grep from output any connections to 50505 port and telnet port. This scripth I had included in my crontab and cron runs it every minute.

This way I hope to find from where that man connects to me.

Do you have any other suggestions to help me find how hacker injected trojan ?

In one of shell script I'm talking about i found copyright mark "nrfbsdrk v0.1 by gREMLiNs".

Thank you.

Maxim Sorokin

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message