From owner-freebsd-security Wed Aug 1 8:17:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from sunny.fishnet.com (sunny.fishnet.com [209.150.200.6]) by hub.freebsd.org (Postfix) with ESMTP id A2E6F37B401 for ; Wed, 1 Aug 2001 08:17:49 -0700 (PDT) (envelope-from mschlosser@eschelon.com) Received: from walleye.corp.fishnet.com (209.150.197.205) by sunny.fishnet.com (5.0.048) id 3B66D63D00011F4B; Wed, 1 Aug 2001 10:17:45 -0500 Received: by walleye.corp.fishnet.com with Internet Mail Service (5.5.2653.19) id ; Wed, 1 Aug 2001 10:21:02 -0500 Message-ID: <2FA3BA0C7551724CA6DDF4E345360505049EF1@walleye.corp.fishnet.com> From: "Schlosser, Matt D." To: 'Maximum' , "'freebsd-security@freebsd.org'" Subject: RE: Trojan injected in my Freebsd 4.1-RELEASE Date: Wed, 1 Aug 2001 10:21:01 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="koi8-r" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org If all you want to do is play with the hacker and not boot them, the best thing you can do is take careful steps in making sure they don't know you know. Don't do anything out of the ordinary that the other person might notice, do things quietly secretly. Stick the machine on a hub with another machine and have that machine sniff for traffic on that port. Then the person will not see you looking for them. With luck, you can build a sandbox around them without their knowledge. Could be a fun project. nrfbsdrk v0.1 by gREMLiNs means rootkit. This person doesn't seem very good since your security report told you they were there. Probably script kiddie turned dorm rat. -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Maximum Sent: Wednesday, August 01, 2001 9:24 AM To: freebsd-security@freebsd.org Subject: Trojan injected in my Freebsd 4.1-RELEASE Hi everybody, today I've got security report from my FreeBSD box that some suid files changed. That was /usr/bin/netstat, /usr/bin/fstat and /usr/bin/quote. Using chkproc programm from Nelson Murilo found at pangeia.com.br I found one stealth process. Running clean ps command i found ssh daemon sshd daemon named 'swapper' in process list. This daemon is attached to 50505 port. Also i found directory with other hacker's scripts and one of them contained full list of changed binaries that was : ps,ls,netstat,fstat,ldconfig and telnetd Examining logs I had not found any records about visit of hacker. Wtmp was cleared 5 hours back from time of created hackers scripts. I'm going not only remove this trojan from my box, but find from where attack was made and the way attack was made. Now I wrote small script that will run clean netstat and grep from output any connections to 50505 port and telnet port. This scripth I had included in my crontab and cron runs it every minute. This way I hope to find from where that man connects to me. Do you have any other suggestions to help me find how hacker injected trojan ? In one of shell script I'm talking about i found copyright mark "nrfbsdrk v0.1 by gREMLiNs". Thank you. Maxim Sorokin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message