Date: Sat, 10 May 2003 21:16:18 EAST From: Adam Dewis <apdewis@postoffice.utas.edu.au> To: freebsd-security@freebsd.org Subject: Re: Hacked? Message-ID: <200305101116.h4ABGMH21903@boyes.its.utas.edu.au>
index | next in thread | raw e-mail
On Fri, 09 May 2003 10:45:20 -0500 Peter Elsner wrote: > here's what's in /dev/fd/.99 > > # cd /dev/fd/.99 > # ll > -rw-r--r-- 1 root wheel 70 May 2 18:05 .ttyf00 > > The contents of that file are: > > # more .ttyf00 > .99 > .ttyf00 > .ttyp00 > in.inetd > sshd > /sbin/sshd > /usr/sbin/in.inetd > .fx > > I have already restored my ls and now my dates are back to normal... I > have also restored netstat. > > I am now going to do a complete re-install of all binaries... > > Before I do, let me know if there's anything else you need... > > Peter > Doing a complete reeinstall is all good and well, but Installing a rootkit means that the cracker used a hole to gain the required permissions to do so. Whcih in praticality means that you will need to patch the hole as well, unfortunatly I cannot offer any advice on finding the hole, but mayhaps some other security guru on this list may be able to steer you in the right direction? Adamhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200305101116.h4ABGMH21903>