From owner-freebsd-questions Sun Dec 16 17:33:15 2001 Delivered-To: freebsd-questions@freebsd.org Received: from smtpzilla5.xs4all.nl (smtpzilla5.xs4all.nl [194.109.127.141]) by hub.freebsd.org (Postfix) with ESMTP id D138F37B41A for ; Sun, 16 Dec 2001 17:33:00 -0800 (PST) Received: from list1.xs4all.nl (list1.xs4all.nl [194.109.6.52]) by smtpzilla5.xs4all.nl (8.12.0/8.12.0) with ESMTP id fBH1WxuY035283 for ; Mon, 17 Dec 2001 02:32:59 +0100 (CET) Received: (from root@localhost) by list1.xs4all.nl (8.9.3/8.9.3) id CAA24407; Mon, 17 Dec 2001 02:32:59 +0100 (CET) From: "hjs" To: freebsd-questions@freebsd.org X-Via: imploder /usr/local/lib/mail/news2mail/news2mail at list1.xs4all.nl Subject: Re: Strange Behaviour 'ls' Date: Mon, 17 Dec 2001 02:32:56 +0100 Organization: XS4ALL Internet BV Message-ID: <9vji09$3n5$1@news1.xs4all.nl> In-Reply-To: <20011217012209.Z10171@md2.mediadesign.nl> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Thank you for all your information. I have disabled telnetd and am downloading 4.4. If I run into probs, I'll let you know. Kind Regards, Stof "Alson van der Meulen" wrote in message news:list.freebsd.questions#20011217012209.Z10171@md2.mediadesign.nl... > On Mon, Dec 17, 2001 at 01:13:29AM +0100, hjs wrote: > > Another thing I found.... > > > > When I go to my FreeBSD box through ftp and go to directory /bin and do an > > ls, I see that two files have at least been touched (could have been me, but > > I am not sure) on December 13th. They are ls and ps. ps still seems to work > > though. > > > > Can I safely do a > > make depend && make && make install > > from their directories in /usr/src/bin or should I do something else to > > rebuild them. > I think your box has been trojaned, probably through telnetd, or > possibly some other way: > ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:49.telnetd.v 1.1.asc > > ps and ls are often trojaned, ps hides probably certain processes the > cracker runs, and ls some files. You can often see the files using > `find' or `echo *', but you can't really trust _anything_ on that box. > If possible, take that box offline immediatly, backup all _data_ (not > binaries), and reinstall using 4.4-RELEASE. This box is possibly being > used to crack/flood other computers or to serve warez. > > If reinstall really isn't a possibility, try installing chkrootkit > (/usr/ports/security/chkrootkit) and try to find all files the attacker > left, and the corresponding log entries. At least you should patch all > security holes (http://www.freebsd.org/security/index.html) > or upgrade to 4.4-RELEASE. > > This is NOT something that will be fixed by reinstalling ps and ls, > since possibly more trojans are installed and they can get in the same > way they used previously again. > > Please contact me if you have any more questions, > Alson > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message