From owner-freebsd-security Wed Apr 18 20:24:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id 72F3737B43C for ; Wed, 18 Apr 2001 20:24:26 -0700 (PDT) (envelope-from danderse@cs.utah.edu) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id VAA14081; Wed, 18 Apr 2001 21:24:19 -0600 (MDT) Message-Id: <200104190324.VAA14081@faith.cs.utah.edu> Subject: Re: unknown process To: kris@obsecurity.org (Kris Kennaway) Date: Wed, 18 Apr 2001 21:24:19 -0600 (MDT) Cc: fukuda@alles.ad.jp (fukuda shinichi), freebsd-security@FreeBSD.ORG In-Reply-To: <20010418200223.A42227@xor.obsecurity.org> from "Kris Kennaway" at Apr 18, 2001 08:02:23 PM From: "David G. Andersen" X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org There was an analysis of this posted to ISN today: http://www.securityfocus.com/templates/archive.pike?list=12&mid=177354 You've been hacked. Do what Kris said immediately - take your system offline, and figure out how they got in. You'll likely need to either restore from backups, a fresh install, or check your tripwire/etc logs to determine what else the intruder changed, if they installed a rootkit, etc. -Dave Lo and behold, Kris Kennaway once said: > > > --NzB8fVQJ5HfG6fxh > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > Content-Transfer-Encoding: quoted-printable > > On Thu, Apr 19, 2001 at 11:41:00AM +0900, fukuda shinichi wrote: > > Hi. > >=20 > > I found unknown process name "carko" today. > > This binary find in /usr/share/man/mansps/ddos ,=20 > > and i never made such dir like ddos !! (created Apr 18 18:59). > >=20 > > Is anyone know about this "carko" ?=20 > > And very weird name "ddos" ... please help me. > > Take your system off the net and check it for signs of intrusion. > > Kris > > --NzB8fVQJ5HfG6fxh > Content-Type: application/pgp-signature > Content-Disposition: inline > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.4 (FreeBSD) > Comment: For info see http://www.gnupg.org > > iD8DBQE63lU/Wry0BWjoQKURAlAwAJ40fYE17MVKQFxzBkbEO4SREtw4tQCeLAjE > BB9A06a+etaWXO+LT/okIks= > =o8HH > -----END PGP SIGNATURE----- > > --NzB8fVQJ5HfG6fxh-- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message