From owner-freebsd-security@FreeBSD.ORG Sat May 22 06:08:02 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B9DE716A4CE for ; Sat, 22 May 2004 06:08:02 -0700 (PDT) Received: from prserv.net (asmtp1.prserv.net [32.97.166.51]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7081C43D41 for ; Sat, 22 May 2004 06:08:02 -0700 (PDT) (envelope-from yann.luppo@attglobal.net) Received: from razor (130.wf21.bltm.wswdc01r18.dsl.att.net[12.103.21.130]) by prserv.net (asmtp1) with SMTP id <2004052213074225100j9e8oe> (Authid: yann.luppo@attglobal.net); Sat, 22 May 2004 13:07:42 +0000 Message-ID: <031a01c43fcb$a45fcfb0$0f01a8c0@razor> From: "RazorOnFreeBSD" To: References: <021f01c43f3a$e7eb7f40$0f01a8c0@razor> <40AF19B2.1090905@computerpech.nl> Date: Sat, 22 May 2004 09:08:53 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Subject: Re: Hacked or not ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 May 2004 13:08:03 -0000 Thanks a lot everyone I have enough to work on ;) You were really helpfull and for sure those who will use the mailing list search function will appreciate too! razor ----- Original Message ----- From: "M. Boelen" To: "RazorOnFreeBSD" Cc: Sent: Saturday, May 22, 2004 11:13 AM Subject: Re: Hacked or not ? > Hi, > > Someone else did already told you about Rootkit Hunter, but forget to > say you can install it from the FreeBSD Ports collection > (/usr/ports/security/rkhunter) ;-) > > (it's has been added this month, so a lot of FreeBSD users don't know it > yet) > > Michael Boelen > Author of Rootkit Hunter > > >Hi, > > > >I have a 4.9-STABLE FreeBSD box apparently hacked! > >Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs. > >Those are: > >chfn ... INFECTED > >chsh ... INFECTED > >date ... INFECTED > >ls ... INFECTED > >ps ... INFECTED > > > >But all the rest is NOT PROMISC, NOT INFECTED, NOTHING FOUND, NOTHING DELETED, or NOTHING DETECTED. > >I know by the FreeBSD-Security archives that chkrootkit isn't perfect with FreeBSD versions 5.x > >But I'm not in that case. So I'm a little bit afraid and as a newbie I don't really know what to do.... > >I tried "truss ls" to find something strange and here are the outputs with something... suspicious for me: > > > >ioctl(1,TIOCGETA,0xbfbff534) = 0 (0x0) > >ioctl(1,TIOCGWINSZ,0xbfbff5a8) = 0 (0x0) > >getuid() = 0 (0x0) > >readlink("etc/malloc.conf",0xbfbff490,63) ERR#2 'No such file or directory' #SUSPICIOUS > >mmap(0x0,4096,0x3,0x1002,-1,0x0) = 671666176 (0x2808d000) > >break(0x809b000) = 0 (0x0) > >break(0x809c000) = 0 (0x0) > >break(0x809d000) = 0 (0x0) > >break(0x809e000) = 0 (0x0) > >........................................................................... ................and so on! > > > >And if I am an intrusion victim.... what can I do ? How can I restore those files? and how can I find out how this cracker did to break my firewall? I mean where is the security hole? > >PS: After verification on other commands declared not infected I found out this ERR#2 is common.... maybe I have another problem here! > > > >Thanks everyone! > >razor. > >_______________________________________________ > >freebsd-security@freebsd.org mailing list > >http://lists.freebsd.org/mailman/listinfo/freebsd-security > >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > > > > > > > > -- > > This is my mailbox. There are many like it but this one is mine. > My mailbox is my best friend. It is my life. I must master it as I > master my life. > > My mailbox, without me is useless. Without my mailbox, I am useless. > I must empty my mailbox true. I must clean him before he gets full. > I will.... >