Date: Wed, 14 Nov 2001 09:38:00 +0700 From: Stefan Probst <stefan.probst@opticom.v-nam.net> To: freebsd-security@FreeBSD.ORG Cc: Rob Hurle <rob@coombs.anu.edu.au> Subject: Re: Adore worm Message-ID: <5.1.0.14.2.20011114091904.0425b660@MailServer> In-Reply-To: <Pine.NEB.3.96L.1011113203251.56836B-100000@fledge.watson.o rg> References: <5.1.0.14.2.20011114005803.0207ed70@MailServer>
next in thread | previous in thread | raw e-mail | index | archive | help
Dear All, thanks so far for good advices. On my site, there is a webmail form, which is VERY rarely used. About 20 minutes before the hijack, there were three mails coming from that form, where the sender gave addresses etc. in Romania... Status update here: I am right now in the background using an FTP client to backup the whole directory structure, so that I can later browse faster and check modification dates etc. Will still take some time until that is finished over the slow line here. The only "good" thing: I have access to another FreeBSD 4.2 server, which has got patched. Problem is only, that this is a custom build (virtual hosting), so I am not too sure. And for the time being, I assume, that the intruder "just" installed the SW and didn't do more. Means: I will try to find out what happened, and if possible restore without going through a re-install. My questions: 1. Any problem, if I download "ps" and the patched "telnetd" from the good site and just replace on the corrupted site? 2. I tried to patch as written in SA-01:49, but the directory /usr/src/ is empty, and when I run the "patch -p ..." command, I get: >Hmm... Looks like a unified diff to me... >The text leading up to this was: >-------------------------- >|Index: libexec/telnetd/ext.h >|=================================================================== >|RCS file: /home/ncvs/src/libexec/telnetd/ext.h,v >|retrieving revision 1.8 >|retrieving revision 1.10 >|diff -u -r1.8 -r1.10 >|--- libexec/telnetd/ext.h 2000/11/19 10:01:27 1.8 >|+++ libexec/telnetd/ext.h 2001/07/23 22:00:51 1.10 >-------------------------- >File to patch: What should I enter here??? The documentation says nothing. TIA, Stefan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.2.20011114091904.0425b660>