Date: Thu, 13 Sep 2001 12:56:16 +0300 From: Yonatan Bokovza <Yonatan@xpert.com> To: 'Micke Josefsson' <mj@isy.liu.se>, freebsd-questions@freebsd.org Subject: =?iso-8859-1?Q?RE=3A_What_is_=22=2EnfsA09b24=2E4=22_doing_in_n?= =?iso-8859-1?Q?=B4my_/bin=3F?= Message-ID: <EB513E68D3F5D41191CA00025558810150D6F5@mailserv.xpert.com>
next in thread | raw e-mail | index | archive | help
Looks like a rootkit to me. Hadn't my HD died I could verify my concern, that this is Open/FreeBSD rootkit I found somewhere else. http://www.cert.org/security-improvement/modules/m06.html or in short form: newfs, reinstall, restore backup. Yonatan. > -----Original Message----- > From: Micke Josefsson [mailto:mj@isy.liu.se] > Sent: Thursday, September 13, 2001 12:35 > To: freebsd-questions@freebsd.org > Subject: What is ".nfsA09b24.4" doing in n=B4my /bin? >=20 >=20 > I recently found these files in /bin on an exported filesystem: >=20 > -r-xr-sr-x 1 root kmem 32376 18 Jun 17:13 .nfsA6bcb4.4 > -r-xr-xr-x 1 root wheel 279972 18 Jun 17:13 .nfsA6c834.4 > -r-xr-xr-x 1 root wheel 164332 30 Maj 11:57 .nfsA76da4.4 >=20 > What are they? Can I delete them? >=20 > This may be a clue to some of you: >=20 > #ident \.nf*=20 > .nfsA6bcb4.4: > ident warning: no id keywords in .nfsA6bcb4.4 >=20 > .nfsA6c834.4: > $FreeBSD: src/contrib/nvi/common/exf.c,v 1.3 2000/01/10=20 > 09:17:46 kris Exp $ >=20 > .nfsA76da4.4: > $OpenBSD: ssh.c,v 1.69 2000/10/27 07:32:19 markus Exp $ > $FreeBSD: src/crypto/openssh/ssh.c,v 1.4.2.4 2001/01/12=20 > 04:25:58 green Exp $ > $OpenBSD: log-client.c,v 1.12 2000/09/12 20:53:10 markus Exp $ > $OpenBSD: readconf.c,v 1.49 2000/10/11 20:27:23 markus Exp $ > $FreeBSD: src/crypto/openssh/readconf.c,v 1.4.2.5=20 > 2001/03/04 15:13:08 markm > Exp $ > $OpenBSD: clientloop.c,v 1.39 2000/10/27 07:48:22 markus Exp $ > $OpenBSD: sshconnect.c,v 1.79 2000/09/17 15:52:51 markus Exp $ > $FreeBSD: src/crypto/openssh/sshconnect.c,v 1.4.2.6=20 > 2001/03/22 00:28:35 > green Exp $ > $OpenBSD: sshconnect1.c,v 1.8 2000/10/12 09:59:19 markus Exp $ > $FreeBSD: src/crypto/openssh/sshconnect1.c,v 1.2.2.6=20 > 2001/03/22 00:28:35 > green Exp $ > $FreeBSD: src/crypto/openssh/sshconnect2.c,v 1.1.1.2.2.4=20 > 2001/03/22 > 00:28:35 green Exp $ > $OpenBSD: sshconnect2.c,v 1.27 2000/10/19 16:45:16 provos Exp $ > $OpenBSD: kex.c,v 1.12 2000/10/11 20:27:23 markus Exp $ > $OpenBSD: dispatch.c,v 1.5 2000/09/21 11:25:34 markus Exp $ > $OpenBSD: ttymodes.c,v 1.8 2000/09/07 20:27:55 deraadt Exp $ > $OpenBSD: tildexpand.c,v 1.8 2000/09/07 20:27:55 deraadt Exp $ > $OpenBSD: rsa.c,v 1.16 2000/09/07 20:27:53 deraadt Exp $ > $FreeBSD: src/crypto/openssh/rsa.c,v 1.1.1.1.2.6=20 > 2001/02/12 06:45:42 kris > Exp $ > $OpenBSD: readpass.c,v 1.12 2000/10/11 20:14:39 markus Exp $ > $OpenBSD: mpaux.c,v 1.14 2000/09/07 20:27:52 deraadt Exp $ > $FreeBSD: src/crypto/openssh/mpaux.c,v 1.2.2.2=20 > 2000/10/28 23:00:48 kris Exp > $ > $OpenBSD: hostfile.c,v 1.20 2000/09/07 20:27:51 deraadt Exp $ > $FreeBSD: src/crypto/openssh/hostfile.c,v 1.1.1.1.2.2=20 > 2000/10/28 23:00:48 > kris Exp $ > $OpenBSD: authfile.c,v 1.20 2000/10/11 20:27:23 markus Exp $ > $FreeBSD: src/crypto/openssh/authfile.c,v 1.2.2.3=20 > 2001/01/12 04:25:55 green > Exp $ > $OpenBSD: cli.c,v 1.2 2000/10/16 09:38:44 djm Exp $ > $OpenBSD: match.c,v 1.9 2000/09/07 20:27:52 deraadt Exp $ > $OpenBSD: dsa.c,v 1.11 2000/09/07 20:27:51 deraadt Exp $ > $OpenBSD: xmalloc.c,v 1.8 2000/09/07 20:27:55 deraadt Exp $ > $OpenBSD: packet.c,v 1.38 2000/10/12 14:21:12 markus Exp $ > $OpenBSD: hmac.c,v 1.4 2000/09/07 20:27:51 deraadt Exp $ > $OpenBSD: crc32.c,v 1.7 2000/09/07 20:27:51 deraadt Exp $ > $OpenBSD: compress.c,v 1.9 2000/09/07 20:27:50 deraadt Exp $ > $OpenBSD: cipher.c,v 1.37 2000/10/23 19:31:54 markus Exp $ > $FreeBSD: src/crypto/openssh/cipher.c,v 1.2.2.3=20 > 2001/01/12 04:25:56 green > Exp $ > $FreeBSD: src/crypto/openssh/channels.c,v 1.1.1.1.2.4=20 > 2001/03/22 00:28:34 > green Exp $ > $OpenBSD: channels.c,v 1.72 2000/10/27 07:48:22 markus Exp $ > $OpenBSD: canohost.c,v 1.16 2000/10/21 17:04:22 markus Exp $ > $FreeBSD: src/crypto/openssh/canohost.c,v 1.1.1.1.2.4=20 > 2001/01/12 04:25:56 > green Exp $ > $OpenBSD: authfd.c,v 1.29 2000/10/09 21:51:00 markus Exp $ > $FreeBSD: src/crypto/openssh/authfd.c,v 1.2.2.4=20 > 2001/01/12 04:25:55 green > Exp $ > $OpenBSD: util.c,v 1.6 2000/10/27 07:32:19 markus Exp $ > $OpenBSD: key.c,v 1.11 2000/09/07 20:27:51 deraadt Exp $ > $FreeBSD: src/crypto/openssh/key.c,v 1.4.2.2 2000/10/28=20 > 23:00:48 kris Exp $ > $OpenBSD: atomicio.c,v 1.7 2000/10/18 18:04:02 markus Exp $ > $OpenBSD: uidswap.c,v 1.9 2000/09/07 20:27:55 deraadt Exp $ > $FreeBSD: src/crypto/openssh/compat.c,v 1.1.1.1.2.4=20 > 2001/03/22 00:28:34 > green Exp $ > $OpenBSD: compat.c,v 1.27 2000/10/31 09:31:58 markus Exp $ > $OpenBSD: bufaux.c,v 1.13 2000/09/07 20:27:50 deraadt Exp $ > $FreeBSD: src/crypto/openssh/bufaux.c,v 1.2.2.2=20 > 2000/10/28 23:00:47 kris > Exp $ > $OpenBSD: uuencode.c,v 1.7 2000/09/07 20:27:55 deraadt Exp $ > $OpenBSD: buffer.c,v 1.8 2000/09/07 20:27:50 deraadt Exp $ > $OpenBSD: log.c,v 1.11 2000/09/30 16:27:43 markus Exp $ > $OpenBSD: nchan.c,v 1.19 2000/09/07 20:27:52 deraadt Exp $ >=20 >=20 > Very curious... >=20 > /Micke >=20 > ---------------------------------- > Michael Josefsson, MSEE > mj@isy.liu.se >=20 > This message was sent by XFMail > running on FreeBSD 4.4-RC > ---------------------------------- >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?EB513E68D3F5D41191CA00025558810150D6F5>