Date: Mon, 17 Dec 2001 01:22:09 +0100 From: "Alson van der Meulen" <alm@flutnet.org> To: freebsd-questions@freebsd.org Subject: Re: Strange Behaviour 'ls' Message-ID: <20011217012209.Z10171@md2.mediadesign.nl> In-Reply-To: <9vjdbb$5g0$1@news1.xs4all.nl> References: <9vj6q4$6pr$1@news1.xs4all.nl> <9vjdbb$5g0$1@news1.xs4all.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Dec 17, 2001 at 01:13:29AM +0100, hjs wrote: > Another thing I found.... > > When I go to my FreeBSD box through ftp and go to directory /bin and do an > ls, I see that two files have at least been touched (could have been me, but > I am not sure) on December 13th. They are ls and ps. ps still seems to work > though. > > Can I safely do a > make depend && make && make install > from their directories in /usr/src/bin or should I do something else to > rebuild them. I think your box has been trojaned, probably through telnetd, or possibly some other way: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:49.telnetd.v1.1.asc ps and ls are often trojaned, ps hides probably certain processes the cracker runs, and ls some files. You can often see the files using `find' or `echo *', but you can't really trust _anything_ on that box. If possible, take that box offline immediatly, backup all _data_ (not binaries), and reinstall using 4.4-RELEASE. This box is possibly being used to crack/flood other computers or to serve warez. If reinstall really isn't a possibility, try installing chkrootkit (/usr/ports/security/chkrootkit) and try to find all files the attacker left, and the corresponding log entries. At least you should patch all security holes (http://www.freebsd.org/security/index.html) or upgrade to 4.4-RELEASE. This is NOT something that will be fixed by reinstalling ps and ls, since possibly more trojans are installed and they can get in the same way they used previously again. Please contact me if you have any more questions, Alson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011217012209.Z10171>