Date: Wed, 14 Nov 2001 10:31:18 +1100 (EST) From: Rob Hurle <rob@coombs.anu.edu.au> To: Stefan Probst <stefan.probst@opticom.v-nam.net> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: Adore worm Message-ID: <20011114100516.L432-100000@freebsd.connect-a.com.au> In-Reply-To: <5.1.0.14.2.20011114000437.02050a70@MailServer>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Stefan, > Looks like my FreeBSD 4.2 Box (FreeBSD 4.2-RELEASE (GENERIC)) got hit by a > worm - or infested by purpose: > > I found a new directory /usr/lib/.fx/ > which contains all kind of stuff. > One README file says: > >%cat README > > AdoreBSD 0.34 - Based off Linux Adore by Stealth > > Copyright (c) 2001 bind@gravitino.net > > > >Developed on FreeBSD 4.3-STABLE > > > >Installation: >....<snip> > Anything known? Any ideas what to do? Looking forward to pointers.... This is a common one I think. I was hit by it a few weeks ago too. Not sure if there's a safe way to undo the damage - in my case I had been putting off the upgrade to 4.4 because of the usual laziness, and so I just upgraded. A couple of pointers. I had noticed (by using `last`) a few pokes at my system in the weeks prior to the attack (from somewhere with a *.de domain name). The first thing the attack does is to delete everything in /var/log so that you can not see what is going on. The `ps` that is installed works on 4.3 (obviously not on 4.2) and hides some processes from you. The /bin/xterm is activated at startup (the call is installed in rc.conf), and a new telnetd is installed. I'm not sure what these things do, but they may poo over everything - the best advice is what others have said, re-install. As for how to avoid it, I'm not sure. telnetd had a problem, and I seem to remember there was a security advisory on inetd before 4.4. People advise ssh, but I notice that this particular attack also has a new version of ssh to install, so I don't know about that. I've had a brief look at ssh, but it needs some careful configuration. Firewalls are not much help, because it starts with a legitimate request to telnetd or inetd, and then crashes them. Sorry to be not of much help. Cheers, Rob ----------------------------------------------------- Rob Hurle Tel: +61 2 6247 2397 PO Box 13 Fax: +61 2 6247 2397 Ainslie Cell phone: 0417 293 603 Australia e-mail: rob@coombs.anu.edu.au ----------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011114100516.L432-100000>