From owner-freebsd-security Wed Aug 1 7:49: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from void.xpert.com (xpert.com [199.203.132.1]) by hub.freebsd.org (Postfix) with ESMTP id 1FD2B37B403 for ; Wed, 1 Aug 2001 07:48:58 -0700 (PDT) (envelope-from Yonatan@xpert.com) Received: from mailserv.xpert.com ([199.203.132.135]) by void.xpert.com with esmtp (Exim 3.20 #1) id 15RwJ5-0008Q5-00; Wed, 01 Aug 2001 16:45:03 +0300 Received: by mailserv.xpert.com with Internet Mail Service (5.5.2650.21) id ; Wed, 1 Aug 2001 17:48:40 +0300 Message-ID: From: Yonatan Bokovza To: 'Maximum' , freebsd-security@freebsd.org Subject: RE: Trojan injected in my Freebsd 4.1-RELEASE Date: Wed, 1 Aug 2001 17:48:39 +0300 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="koi8-r" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi > Examining logs I had not found any records about visit of > hacker. Wtmp was cleared 5 hours back from time of created > hackers scripts. > > I'm going not only remove this trojan from my box, but find > from where attack was made and the way attack was made. > In one of shell script I'm talking about i found copyright > mark "nrfbsdrk v0.1 by gREMLiNs". This will translate to "NRF BSD RootKit" in human-speak. I can't trivially find any information about it, so I'll be happy if you'll send me a tarball of this offline, for deeper analysis. It seems from your mail that you don't have any important information on this server and don't care for it's being hacked, you just want to learn about the hacker. Having noted that I won't lead you through the usual path of "newfs this machine and reinstall from backup". It _is_ however, important to understand that this machine might pose a threat to the rest of your network. Use ifconfig to see if the interfaces are in Promiscuous mode- meaning your attacker is probably sniffing for more User-name/Password combos. Dig around /var/log and see if any program exited with weird signals, or any other weird behavior that occurred around 5 hours ago (per the deletion of your wtmp). There are several very good tools that can help you in identifying your attacker. Installing ntop from the ports tree will give you a cool measurement of who is accessing what IP/ports on your segment. You could use that to learn what IP access your 50505 port. Now is probably the time to mention you could use log_in_vain="YES" in your /etc/rc.conf to have invalid access to closed ports reported to syslog. As for security oriented programs you could use snort to look for malicious network activity, but that's a bit late. What could really be of interest is something like tripwire to see what files are accessed by your attacker. Best Regards, Yonatan Bokovza IT Security Consultant Xpert Systems To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message