From owner-freebsd-security  Wed Nov 14 15:52: 6 2001
Delivered-To: freebsd-security@freebsd.org
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
	by hub.freebsd.org (Postfix) with ESMTP id 0A05C37B405
	for <freebsd-security@FreeBSD.ORG>; Wed, 14 Nov 2001 15:52:03 -0800 (PST)
Received: by flood.ping.uio.no (Postfix, from userid 2602)
	id B253114C2E; Thu, 15 Nov 2001 00:52:01 +0100 (CET)
X-URL: http://www.ofug.org/~des/
X-Disclaimer: The views expressed in this message do not necessarily
  coincide with those of any organisation or company with
  which I am or have been affiliated.
To: Stefan Probst <stefan.probst@opticom.v-nam.net>
Cc: freebsd-security@FreeBSD.ORG, Rob Hurle <rob@coombs.anu.edu.au>
Subject: Re: AdoreWorm
References: <5.1.0.14.2.20011114183520.01e71d20@MailServer>
From: Dag-Erling Smorgrav <des@ofug.org>
Date: 15 Nov 2001 00:52:01 +0100
In-Reply-To: <5.1.0.14.2.20011114183520.01e71d20@MailServer>
Message-ID: <xzpu1vwap26.fsf@flood.ping.uio.no>
Lines: 19
User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Stefan Probst <stefan.probst@opticom.v-nam.net> writes:
>    What more happened / needs to be re-installed/deleted/killed...?

Everything.  That system is a total write-off; not only can you not
trust anything on it after it has been compromised (they might have
left a backdoor *anywhere*), but by pointlessly trying to fix it
you've stomped all over the crimescene and most likely ruined and/or
invalidated any evidence that could have served to track down the
attackers.  Take the machine off the net, back up your file systems to
tape, format the disks, reinstall the OS from trusted read-only media
(e.g. a BSDI or WindRiver CD-ROM set), then secure the machine (by
turning off any unneeded services and auditing the configuration files
for those services you do need) before bringing it back on-line.

And don't ever use telnet again.

DES
-- 
Dag-Erling Smorgrav - des@ofug.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message