Date: Fri, 9 May 2003 13:22:28 -0400 From: Chris BeHanna <behanna@zbzoom.net> To: security@freebsd.org Subject: Re: Hacked? Message-ID: <200305091322.28708.behanna@zbzoom.net> In-Reply-To: <5.2.0.9.2.20030509104258.017c6b50@mail.servplex.com> References: <5.2.0.9.2.20030509090341.01796b58@mail.servplex.com> <5.2.0.9.2.20030509104258.017c6b50@mail.servplex.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Friday 09 May 2003 11:45, Peter Elsner wrote:
> here's what's in /dev/fd/.99
>
> # cd /dev/fd/.99
> # ll
> -rw-r--r-- 1 root wheel 70 May 2 18:05 .ttyf00
>
> The contents of that file are:
>
> # more .ttyf00
> .99
> .ttyf00
> .ttyp00
> in.inetd
> sshd
> /sbin/sshd
> /usr/sbin/in.inetd
> .fx
>
> I have already restored my ls and now my dates are back to normal... I
> have also restored netstat.
>
> I am now going to do a complete re-install of all binaries...
*AFTER* you boot from CD-ROM and newfs every partition on the
disk, right? That is the *only* way you can be sure you've removed
all of the noisome pieces of the rootkit.
--
Chris BeHanna
Software Engineer (Remove "bogus" before responding.)
behanna@bogus.zbzoom.net
Turning coffee into software since 1990.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200305091322.28708.behanna>