From owner-freebsd-questions Sun Dec 16 16:22:19 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail2.mediadesign.nl (md2.mediadesign.nl [212.19.205.67]) by hub.freebsd.org (Postfix) with SMTP id 03DE637B419 for ; Sun, 16 Dec 2001 16:22:16 -0800 (PST) Received: (qmail 6403 invoked by uid 1002); 17 Dec 2001 00:22:09 -0000 From: "Alson van der Meulen" Date: Mon, 17 Dec 2001 01:22:09 +0100 To: freebsd-questions@freebsd.org Subject: Re: Strange Behaviour 'ls' Message-ID: <20011217012209.Z10171@md2.mediadesign.nl> Mail-Followup-To: freebsd-questions@freebsd.org References: <9vj6q4$6pr$1@news1.xs4all.nl> <9vjdbb$5g0$1@news1.xs4all.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <9vjdbb$5g0$1@news1.xs4all.nl> User-Agent: Mutt/1.3.23i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Dec 17, 2001 at 01:13:29AM +0100, hjs wrote: > Another thing I found.... > > When I go to my FreeBSD box through ftp and go to directory /bin and do an > ls, I see that two files have at least been touched (could have been me, but > I am not sure) on December 13th. They are ls and ps. ps still seems to work > though. > > Can I safely do a > make depend && make && make install > from their directories in /usr/src/bin or should I do something else to > rebuild them. I think your box has been trojaned, probably through telnetd, or possibly some other way: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:49.telnetd.v1.1.asc ps and ls are often trojaned, ps hides probably certain processes the cracker runs, and ls some files. You can often see the files using `find' or `echo *', but you can't really trust _anything_ on that box. If possible, take that box offline immediatly, backup all _data_ (not binaries), and reinstall using 4.4-RELEASE. This box is possibly being used to crack/flood other computers or to serve warez. If reinstall really isn't a possibility, try installing chkrootkit (/usr/ports/security/chkrootkit) and try to find all files the attacker left, and the corresponding log entries. At least you should patch all security holes (http://www.freebsd.org/security/index.html) or upgrade to 4.4-RELEASE. This is NOT something that will be fixed by reinstalling ps and ls, since possibly more trojans are installed and they can get in the same way they used previously again. Please contact me if you have any more questions, Alson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message