Date: Mon, 17 Dec 2001 02:32:56 +0100 From: "hjs" <hjs@thestof.com> To: freebsd-questions@freebsd.org Subject: Re: Strange Behaviour 'ls' Message-ID: <9vji09$3n5$1@news1.xs4all.nl> In-Reply-To: <20011217012209.Z10171@md2.mediadesign.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
Thank you for all your information. I have disabled telnetd and am downloading 4.4. If I run into probs, I'll let you know. Kind Regards, Stof "Alson van der Meulen" <alm@flutnet.ORG> wrote in message news:list.freebsd.questions#20011217012209.Z10171@md2.mediadesign.nl... > On Mon, Dec 17, 2001 at 01:13:29AM +0100, hjs wrote: > > Another thing I found.... > > > > When I go to my FreeBSD box through ftp and go to directory /bin and do an > > ls, I see that two files have at least been touched (could have been me, but > > I am not sure) on December 13th. They are ls and ps. ps still seems to work > > though. > > > > Can I safely do a > > make depend && make && make install > > from their directories in /usr/src/bin or should I do something else to > > rebuild them. > I think your box has been trojaned, probably through telnetd, or > possibly some other way: > ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:49.telnetd.v 1.1.asc > > ps and ls are often trojaned, ps hides probably certain processes the > cracker runs, and ls some files. You can often see the files using > `find' or `echo *', but you can't really trust _anything_ on that box. > If possible, take that box offline immediatly, backup all _data_ (not > binaries), and reinstall using 4.4-RELEASE. This box is possibly being > used to crack/flood other computers or to serve warez. > > If reinstall really isn't a possibility, try installing chkrootkit > (/usr/ports/security/chkrootkit) and try to find all files the attacker > left, and the corresponding log entries. At least you should patch all > security holes (http://www.freebsd.org/security/index.html) > or upgrade to 4.4-RELEASE. > > This is NOT something that will be fixed by reinstalling ps and ls, > since possibly more trojans are installed and they can get in the same > way they used previously again. > > Please contact me if you have any more questions, > Alson > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9vji09$3n5$1>