Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 14 Nov 2001 12:49:32 -0800
From:      Gregory Sutter <gsutter@zer0.org>
To:        John Baldwin <jhb@FreeBSD.org>
Cc:        Stefan Probst <stefan.probst@opticom.v-nam.net>, Rob Hurle <rob@coombs.anu.edu.au>, freebsd-security@FreeBSD.ORG
Subject:   Re: Adore worm
Message-ID:  <20011114124932.J35048@klapaucius.zer0.org>
In-Reply-To: <XFMail.011113092233.jhb@FreeBSD.org>
References:  <5.1.0.14.2.20011114000437.02050a70@MailServer> <XFMail.011113092233.jhb@FreeBSD.org>
index | next in thread | previous in thread | raw e-mail 

[-- Attachment #1 --]
On 2001-11-13 09:22 -0800, John Baldwin <jhb@FreeBSD.org> wrote:
> 
> It's a rootkit, and your box has been compromised.  Backup your data and
> reinstall unless someone else has a better idea.

I'm not sure if this is a better idea, but it does allow remote
cleanup.  Tell me if I've missed anything.

1.  Insert /etc/hosts.allow rules that only allow connections from
    your IP or subnet.

2.  Change your password, and then change your root password.

3.  pkg_delete cvsup	# and any variants: cvsup-bin, etc.
    pkg_add -r cvsup

4.  /stand/sysinstall, install a 'minimal' system from an FTP server
    (to get a clean 'make', 'cc', and libs)

5.  Install a fresh OS:
    rm -rf /usr/src
    cvsup /usr/share/examples/cvsup/4.x-stable-supfile
    make buildworld
    make buildkernel
    make installkernel
    make installworld
    mergemaster

6.  check /etc/rc.local for hacks, and
    chmod a-x /usr/local/etc/rc.d/*

7.  Delete all your packages.
    cd /var/db/pkg; for i in `ls`; do echo $i >> /tmp/installed-packages; \
    pkg_delete -f $i; done

8.  reboot

9.  log in WITH SSH

10. change your password again.
    change your root password again.

11. find / -perm +a+s > /tmp/setuid_files 	# then audit them.

12. go through the rest of your filesystem, all of it, to ensure that 
    no evil takeover scripts remain sitting anywhere.  Check through
    'cron' entries.

13. reinstall all your packages. 

14. go play, but be safe!  read freebsd-security and don't use unencrypted
    connections!

Greg
-- 
Gregory S. Sutter                   The process of scientific discovery
mailto:gsutter@zer0.org             is, in effect, a continual flight
http://www.zer0.org/~gsutter/       from wonder.  --Albert Einstein
hkp://wwwkeys.pgp.net/0x845DFEDD

[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Comment: ''

iD8DBQE78tjcIBUx1YRd/t0RAjSuAJ9IsFtkLdoyWCFgdWVR/Oo16PfEGQCdE+fL
Bp7VS4ptveIfPlaXgppK60Q=
=IBBN
-----END PGP SIGNATURE-----
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011114124932.J35048>