Date: Wed, 1 Aug 2001 17:48:39 +0300 From: Yonatan Bokovza <Yonatan@xpert.com> To: 'Maximum' <m-a-x-i-m-u-m@mail.ru>, freebsd-security@freebsd.org Subject: RE: Trojan injected in my Freebsd 4.1-RELEASE Message-ID: <EB513E68D3F5D41191CA00025558810150D5AD@mailserv.xpert.com>
next in thread | raw e-mail | index | archive | help
Hi <snip> > Examining logs I had not found any records about visit of > hacker. Wtmp was cleared 5 hours back from time of created > hackers scripts. > > I'm going not only remove this trojan from my box, but find > from where attack was made and the way attack was made. <snip> > In one of shell script I'm talking about i found copyright > mark "nrfbsdrk v0.1 by gREMLiNs". This will translate to "NRF BSD RootKit" in human-speak. I can't trivially find any information about it, so I'll be happy if you'll send me a tarball of this offline, for deeper analysis. It seems from your mail that you don't have any important information on this server and don't care for it's being hacked, you just want to learn about the hacker. Having noted that I won't lead you through the usual path of "newfs this machine and reinstall from backup". It _is_ however, important to understand that this machine might pose a threat to the rest of your network. Use ifconfig to see if the interfaces are in Promiscuous mode- meaning your attacker is probably sniffing for more User-name/Password combos. Dig around /var/log and see if any program exited with weird signals, or any other weird behavior that occurred around 5 hours ago (per the deletion of your wtmp). There are several very good tools that can help you in identifying your attacker. Installing ntop from the ports tree will give you a cool measurement of who is accessing what IP/ports on your segment. You could use that to learn what IP access your 50505 port. Now is probably the time to mention you could use log_in_vain="YES" in your /etc/rc.conf to have invalid access to closed ports reported to syslog. As for security oriented programs you could use snort to look for malicious network activity, but that's a bit late. What could really be of interest is something like tripwire to see what files are accessed by your attacker. Best Regards, Yonatan Bokovza IT Security Consultant Xpert Systems To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?EB513E68D3F5D41191CA00025558810150D5AD>