From owner-freebsd-security Tue Nov 13 15:33:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from MAIL.netspeed.com.au (mail.netspeed.com.au [203.31.48.12]) by hub.freebsd.org (Postfix) with ESMTP id 4CD3837B405 for ; Tue, 13 Nov 2001 15:33:16 -0800 (PST) Received: from [203.22.237.29] by MAIL.netspeed.com.au (NTMail 5.06.0016/NU0474.00.d45cc3bb) with ESMTP id pyyxyaaa for freebsd-security@FreeBSD.ORG; Wed, 14 Nov 2001 10:33:31 +1100 Received: from localhost (localhost [127.0.0.1]) by freebsd.connect-a.com.au (8.11.6/8.11.3) with ESMTP id fADNVI500631; Wed, 14 Nov 2001 10:31:19 +1100 (EST) (envelope-from rob@freebsd.connect-a.com.au) Date: Wed, 14 Nov 2001 10:31:18 +1100 (EST) From: Rob Hurle To: Stefan Probst Cc: Subject: Re: Adore worm In-Reply-To: <5.1.0.14.2.20011114000437.02050a70@MailServer> Message-ID: <20011114100516.L432-100000@freebsd.connect-a.com.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Stefan, > Looks like my FreeBSD 4.2 Box (FreeBSD 4.2-RELEASE (GENERIC)) got hit by a > worm - or infested by purpose: > > I found a new directory /usr/lib/.fx/ > which contains all kind of stuff. > One README file says: > >%cat README > > AdoreBSD 0.34 - Based off Linux Adore by Stealth > > Copyright (c) 2001 bind@gravitino.net > > > >Developed on FreeBSD 4.3-STABLE > > > >Installation: >.... > Anything known? Any ideas what to do? Looking forward to pointers.... This is a common one I think. I was hit by it a few weeks ago too. Not sure if there's a safe way to undo the damage - in my case I had been putting off the upgrade to 4.4 because of the usual laziness, and so I just upgraded. A couple of pointers. I had noticed (by using `last`) a few pokes at my system in the weeks prior to the attack (from somewhere with a *.de domain name). The first thing the attack does is to delete everything in /var/log so that you can not see what is going on. The `ps` that is installed works on 4.3 (obviously not on 4.2) and hides some processes from you. The /bin/xterm is activated at startup (the call is installed in rc.conf), and a new telnetd is installed. I'm not sure what these things do, but they may poo over everything - the best advice is what others have said, re-install. As for how to avoid it, I'm not sure. telnetd had a problem, and I seem to remember there was a security advisory on inetd before 4.4. People advise ssh, but I notice that this particular attack also has a new version of ssh to install, so I don't know about that. I've had a brief look at ssh, but it needs some careful configuration. Firewalls are not much help, because it starts with a legitimate request to telnetd or inetd, and then crashes them. Sorry to be not of much help. Cheers, Rob ----------------------------------------------------- Rob Hurle Tel: +61 2 6247 2397 PO Box 13 Fax: +61 2 6247 2397 Ainslie Cell phone: 0417 293 603 Australia e-mail: rob@coombs.anu.edu.au ----------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message