Date: Fri, 9 May 2003 11:50:19 -0400 From: "Timothy R. Geier" <tgeier@acsmail.com> To: Peter Elsner <peter@servplex.com> Cc: freebsd-security@freebsd.org Subject: Re: Hacked? Message-ID: <200305091150.30237.tgeier@acsmail.com> In-Reply-To: <955A21A2-8229-11D7-B2CA-000393C94468@sarenet.es> References: <955A21A2-8229-11D7-B2CA-000393C94468@sarenet.es>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
On Friday 09 May 2003 10:21, Borja Marcos wrote:
> On Friday, May 9, 2003, at 16:07 Europe/Madrid, Peter Elsner wrote:
> > open("/dev/fd/.99/.ttyf00",0x0,0666) = 3 (0x3)
>
> Look at this. This is a rootkit. What is this file? :-) Probably the
> typical rootkit config file.
>
> The "strings" command was good at this, but I have seen lately some
> rootkits replacing the strings command. Truss seems to be safer, at
> least for now.
>
> > I'm not exactly sure what I'm looking at... Do you see anything out of
> > the ordinary?
>
> Yes, something like that :-)
>
> If you "truss" commands like netstat, ps, etc, I am sure you will find
> similar operations. Look for open system calls with weird filenames or
> files in weird places, like above.
>
>
>
>
> Borja.
>
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
To add a few more thoughts to this, the most likely places for rootkit
configurations and possibly executables are hidden directories under /tmp,
/dev/, and /var/tmp. Of course, these are not the only possible places, but
they are the most popular.
Also, the use of nmap or another port scanner from a remote machine can
discover if the rootkit has left any backdoor ports open. Since you've
restored netstat, though, "netstat -l" should work just as well. After
determining if there are any backdoors, I would recommend removing the
compromised machine from any network(s) it is on and then performing a
detailed analysis, restoration, and hardening. An article on this process
can be found at http://www.securityfocus.com/infocus/1692.
--
Timothy R. Geier, Systems Administrator
Advanced Communications Systems
tgeier@acsmail.com
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (FreeBSD)
iD8DBQA+u85FBkUJ7Q/wZqgRAqF+AKCLoPvI7rKzEqtI5+44Y+USfjKbTACfXkYF
Kp7/k5nf80vu+3TQilK39/A=
=Ytfy
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200305091150.30237.tgeier>