Date: Wed, 14 Nov 2001 11:38:06 +0300 From: "Nickolay A.Kritsky" <nkritsky@internethelp.ru> To: Stefan Probst <stefan.probst@opticom.v-nam.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re[2]: Adore worm Message-ID: <13049006858.20011114113806@internethelp.ru> In-Reply-To: <5.1.0.14.2.20011114091904.0425b660@MailServer> References: <5.1.0.14.2.20011114005803.0207ed70@MailServer> <5.1.0.14.2.20011114091904.0425b660@MailServer>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Stefan, Wednesday, November 14, 2001, 5:38:00 AM, you wrote: SP> Dear All, SP> thanks so far for good advices. SP> On my site, there is a webmail form, which is VERY rarely used. About 20 SP> minutes before the hijack, there were three mails coming from that form, SP> where the sender gave addresses etc. in Romania... SP> Status update here: SP> I am right now in the background using an FTP client to backup the whole SP> directory structure, so that I can later browse faster and check SP> modification dates etc. Will still take some time until that is finished SP> over the slow line here. SP> The only "good" thing: I have access to another FreeBSD 4.2 server, which SP> has got patched. Problem is only, that this is a custom build (virtual SP> hosting), so I am not too sure. AFAIK with CVS you can build binary for quite any version of FreeBSD. But I can be wrong here. Any comments are very good. SP> And for the time being, I assume, that the intruder "just" installed the SW SP> and didn't do more. Means: I will try to find out what happened, and if SP> possible restore without going through a re-install. This is dangerous assume. Be very careful and do not rely on this. SP> My questions: SP> 1. Any problem, if I download "ps" and the patched "telnetd" from the good SP> site and just replace on the corrupted site? you shoud just try. download them with different names (let's say new_ps and new_telnetd) and try to run them. For new_ps just type `chmod 700 /path/to/new/ps/new_ps && /path/to/new/ps/new_ps' in shell prompt. For new_telnetd add following line to /etc/inetd.conf: 55555 stream tcp nowait root /path/to/new/telnetd/new_telnetd new_telnetd and do "kill -1 `cat /var/run/inetd.pid`". After that try to telnet localhost at port 55555 and `tail' the logs for errors. SP> 2. I tried to patch as written in SA-01:49, but the directory /usr/src/ is SP> empty, and when I run the "patch -p ..." command, I get: >>Hmm... Looks like a unified diff to me... >>The text leading up to this was: >>-------------------------- >>|Index: libexec/telnetd/ext.h >>|=================================================================== >>|RCS file: /home/ncvs/src/libexec/telnetd/ext.h,v >>|retrieving revision 1.8 >>|retrieving revision 1.10 >>|diff -u -r1.8 -r1.10 >>|--- libexec/telnetd/ext.h 2000/11/19 10:01:27 1.8 >>|+++ libexec/telnetd/ext.h 2001/07/23 22:00:51 1.10 >>-------------------------- >>File to patch: SP> What should I enter here??? SP> The documentation says nothing. If your /usr/src directory is empty you cannot apply this patch. SP> TIA, SP> Stefan ;------------------------------------------- ; NKritsky ; SysAdmin InternetHelp.Ru ; http://www.internethelp.ru ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?13049006858.20011114113806>