From owner-freebsd-security Wed Nov 14 4: 0:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp.netnam.vn (smtp.netnam.vn [203.162.7.93]) by hub.freebsd.org (Postfix) with ESMTP id 91F8637B416 for ; Wed, 14 Nov 2001 04:00:48 -0800 (PST) Received: from mailserver ([10.9.4.34]) by smtp.netnam.vn (8.10.2/8.10.2) with ESMTP id fAEC1cm20389; Wed, 14 Nov 2001 19:01:40 +0700 (GMT) Received: from 192.168.0.29 by mailserver ([192.168.0.2] running VPOP3) with ESMTP; Wed, 14 Nov 2001 18:59:43 +0700 Message-Id: <5.1.0.14.2.20011114183520.01e71d20@MailServer> X-Sender: stefan.probst@MailServer X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 14 Nov 2001 18:56:06 +0700 To: freebsd-security@FreeBSD.ORG From: Stefan Probst Subject: Re: AdoreWorm Cc: Rob Hurle Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Server: VPOP3 V1.4.6 - Registered Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, some hours later, lots of grey hair more, but feeling more safe now.... As it looks now, somebody in Romania used most probably the telnetd hole (because there were no other unused services running, and it would be hard to believe, that somebody on a dial-up line in Romania can sniff telnet passwords, which usually go from Vietnam via Hongkong to the EastCost) and got somehow root access. They installed then this AdoreBSD. Luckily, as it looks right now (I might be wrong), they didn't do anything else - at least nothing major. They furthermore installed from http://www.psychoid.lam3rz.de the psyBNC, which is obviously kind of an "special" IRC relay ??? This psyBNC left a logfile, and I have their ISP now: warpnet.ro, including some IP numbers, which they used. Not sure, what I should do with that. This psyBNC is installed in a directory, with a single space as the name: /root/ /bsd.tgz /root/ /bsd/scan-a /root/ /bsd/telnet /root/ /bsd/statdx2.tgz /root/ /bsd/statdx2/luckgo /root/ /bsd/statdx2/luckscan-a /root/ /bsd/statdx2/luckstatdx /root/ /bsd/statdx2/wu /root/ /psybnc/ Status as of now: - I deleted /bin/xterm (since I saw that entry in rc.conf) - I replaced ps with a version, which I downloaded from another server Luckily, that worked, and I could see the processes again. - I killed all ./cons.saver processes - I killed all /bin/xterm processes - I killed all ./psybnc processes - To apply the patch as written on the FreeBSD site, didn't work, because my /usr/src/ directory was empty. - I tried ssh (which is ok now) to make sure, that I am not locked out, in case I crash telnetd. - I replaced telnetd with a patched version which I downloaded from the other server. Still can log on. - I restarted inetd successfully. - I renamed .fx/cons.saver to be sure, that this is not restarted again - I changed the root password (not sure, whether this was necessary) - I replaced rc (I am really lucky, that this is one of the few files, which I (nosy) downloaded some time ago, so I have a clean copy here) and rc.conf - I renamed that /root/ / to something different - to be sure, that the files in there cannot be started by an unknown process again. Outstanding - find more remains. - the /var/log/... files are still not written, i.e. size still "0". ??? Open Questions: - I know, that * ps, telnetd have been replaced * /var/log/messages has been renamed to "menssages" * rc, rc.conf have been edited * processes were started: cons.saver, xterm, psybnc What more happened / needs to be re-installed/deleted/killed...? - there is a short file "/etc/syslog.conf.lock" what is this? Delete it? Thanks to everybody, Stefan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message