From owner-freebsd-security  Wed Aug  1 10:55:45 2001
Delivered-To: freebsd-security@freebsd.org
Received: from lariat.org (lariat.org [12.23.109.2])
	by hub.freebsd.org (Postfix) with ESMTP id F3C6537B407
	for <freebsd-security@FreeBSD.ORG>; Wed,  1 Aug 2001 10:55:40 -0700 (PDT)
	(envelope-from brett@lariat.org)
Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2])
	by lariat.org (8.9.3/8.9.3) with ESMTP id LAA17194;
	Wed, 1 Aug 2001 11:55:23 -0600 (MDT)
Message-Id: <4.3.2.7.2.20010801115333.0476d100@localhost>
X-Sender: brett@localhost
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Wed, 01 Aug 2001 11:55:15 -0600
To: "Maximum" <m-a-x-i-m-u-m@mail.ru>, freebsd-security@FreeBSD.ORG
From: Brett Glass <brett@lariat.org>
Subject: Re: Trojan injected in my Freebsd 4.1-RELEASE
In-Reply-To: <E15Rwv3-0000Ag-00@f4.mail.ru>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

At 08:24 AM 8/1/2001, Maximum wrote:

>In one of shell script I'm talking about i found copyright mark "nrfbsdrk v0.1 by gREMLiNs".

The final letters of "nrfbsdrk" almost certainly stand for "FreeBSD rootkit."
I'd be interested in knowing what was exploited to install it. Could be BIND
or telnetd.

--Brett


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message