From owner-freebsd-security@FreeBSD.ORG Fri May 21 21:30:02 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D49A016A4CE for ; Fri, 21 May 2004 21:30:02 -0700 (PDT) Received: from dreadful.org (dreadful.org [209.237.255.180]) by mx1.FreeBSD.org (Postfix) with ESMTP id C1EAE43D39 for ; Fri, 21 May 2004 21:30:02 -0700 (PDT) (envelope-from dan@dreadful.org) Received: from dreadful.org (localhost.servforce.com [127.0.0.1]) by dreadful.org (Postfix) with ESMTP id B22A611477; Fri, 21 May 2004 21:37:40 -0700 (PDT) Received: from localhost (dan@localhost) by dreadful.org (8.12.10/8.12.10/Submit) with ESMTP id i4M4bejl066898; Fri, 21 May 2004 21:37:40 -0700 (PDT) (envelope-from dan@dreadful.org) Date: Fri, 21 May 2004 21:37:40 -0700 (PDT) From: Daniel Spielman To: RazorOnFreeBSD In-Reply-To: <021f01c43f3a$e7eb7f40$0f01a8c0@razor> Message-ID: <20040521213623.D16177@dreadful.org> References: <021f01c43f3a$e7eb7f40$0f01a8c0@razor> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: Hacked or not ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 May 2004 04:30:03 -0000 Razor, Download the source and recompile those binaries and see if chkrootkit gives you the same 'INFECTED' messages. Daniel M. Spielman On Fri, 21 May 2004, RazorOnFreeBSD wrote: > Hi, > > I have a 4.9-STABLE FreeBSD box apparently hacked! > Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs. > Those are: > chfn ... INFECTED > chsh ... INFECTED > date ... INFECTED > ls ... INFECTED > ps ... INFECTED > > But all the rest is NOT PROMISC, NOT INFECTED, NOTHING FOUND, NOTHING DELETED, or NOTHING DETECTED. > I know by the FreeBSD-Security archives that chkrootkit isn't perfect with FreeBSD versions 5.x > But I'm not in that case. So I'm a little bit afraid and as a newbie I don't really know what to do.... > I tried "truss ls" to find something strange and here are the outputs with something... suspicious for me: > > ioctl(1,TIOCGETA,0xbfbff534) = 0 (0x0) > ioctl(1,TIOCGWINSZ,0xbfbff5a8) = 0 (0x0) > getuid() = 0 (0x0) > readlink("etc/malloc.conf",0xbfbff490,63) ERR#2 'No such file or directory' #SUSPICIOUS > mmap(0x0,4096,0x3,0x1002,-1,0x0) = 671666176 (0x2808d000) > break(0x809b000) = 0 (0x0) > break(0x809c000) = 0 (0x0) > break(0x809d000) = 0 (0x0) > break(0x809e000) = 0 (0x0) > ...........................................................................................and so on! > > And if I am an intrusion victim.... what can I do ? How can I restore those files? and how can I find out how this cracker did to break my firewall? I mean where is the security hole? > PS: After verification on other commands declared not infected I found out this ERR#2 is common.... maybe I have another problem here! > > Thanks everyone! > razor. > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >