From owner-freebsd-security  Wed Aug  1  9:55:58 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ringworld.nanolink.com (unknown [217.75.135.248])
	by hub.freebsd.org (Postfix) with SMTP id D90B237B408
	for <freebsd-security@FreeBSD.ORG>; Wed,  1 Aug 2001 09:55:44 -0700 (PDT)
	(envelope-from roam@orbitel.bg)
Received: (qmail 4366 invoked by uid 1000); 1 Aug 2001 16:54:40 -0000
Date: Wed, 1 Aug 2001 19:54:40 +0300
From: Peter Pentchev <roam@orbitel.bg>
To: "Nickolay A.Kritsky" <nkritsky@internethelp.ru>
Cc: Maximum <m-a-x-i-m-u-m@mail.ru>, freebsd-security@FreeBSD.ORG
Subject: Re: Trojan injected in my Freebsd 4.1-RELEASE
Message-ID: <20010801195440.B4274@ringworld.oblivion.bg>
Mail-Followup-To: "Nickolay A.Kritsky" <nkritsky@internethelp.ru>,
	Maximum <m-a-x-i-m-u-m@mail.ru>, freebsd-security@FreeBSD.ORG
References: <E15Rwv3-0000Ag-00@f4.mail.ru> <172110747676.20010801195853@internethelp.ru>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <172110747676.20010801195853@internethelp.ru>; from nkritsky@internethelp.ru on Wed, Aug 01, 2001 at 07:58:53PM +0400
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Wed, Aug 01, 2001 at 07:58:53PM +0400, Nickolay A.Kritsky wrote:
> Hello Maximum,
> 
> Wednesday, August 01, 2001, 6:24:17 PM, you wrote:
> 
> 
> M>  Hi everybody,
> 
> M> today I've got security report from my FreeBSD box that some suid files changed. That was /usr/bin/netstat, /usr/bin/fstat and /usr/bin/quote.
> 
> M> Using chkproc programm from Nelson Murilo found at pangeia.com.br I found one stealth process. Running clean ps command i found ssh daemon sshd daemon named 'swapper' in process list. This daemon
> M> is attached to 50505 port. Also i found directory with other hacker's scripts and one of them contained full list of changed binaries
> M> that was : ps,ls,netstat,fstat,ldconfig and telnetd
> 
> Looks strange to me. The list of changed setuid binaries is not the
> same,as in your security report. You should better check this out.

This is normal, and easily explained: of the listed changed binaries,
only netstat and fstat are setgid.  None of the others is either setuid
or setgid, so they wouldn't be listed in the security report.

G'luck,
Peter

-- 
You have, of course, just begun reading the sentence that you have just finished reading.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message