From owner-freebsd-security Sun Aug 19 18:15:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from webs1.accretive-networks.net (webs1.accretive-networks.net [207.246.154.13]) by hub.freebsd.org (Postfix) with ESMTP id 01C9A37B414 for ; Sun, 19 Aug 2001 18:15:33 -0700 (PDT) (envelope-from davidk@accretivetg.com) Received: from localhost (davidk@localhost) by webs1.accretive-networks.net (8.11.1/8.11.3) with ESMTP id f7K0AqJ61818; Sun, 19 Aug 2001 17:10:57 -0700 (PDT) Date: Sun, 19 Aug 2001 17:10:52 -0700 (PDT) From: David Kirchner X-X-Sender: To: Rami AlZaid Cc: Subject: Re: Rooted In-Reply-To: <5.1.0.14.2.20010819201719.02396ff0@mail.alzaid.com> Message-ID: <20010819170743.S38221-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 19 Aug 2001, Rami AlZaid wrote: > At 12:26 AM 8/19/2001, you wrote: > >You may also be backdoored; if you weren't running something like tripwire > >to catch changes in your system files, you may want to go ahead and > >re-install FreeBSD entirely. May not be necessary, but it shouldn't hurt. > > Would deleting /usr/src, cvsuping all the source, making world and > replacing all the files in /usr/local/etc and /etc remove the backdoors? or > is it necessary to wipe the hard disk and install everything all over again? > > Thanks If you want to be very careful, wiping the disk would be necessary. A backdoor could be anywhere, including in programs not part of the base system (such as bash from ports). It depends on how paranoid you are however. If you're not too worried, re-installing from a fresh cvsup would probably be good enough. You can check to see what programs are running as servers by running: netstat -aAn | grep LISTEN fstat | grep (example: d29344e0 tcp 0 0 *.25 *.* LISTEN root sendmail 6081 5* internet stream tcp d29344e0) If you see anything weird there, you can track down where it came from and try to re-install that if it turns out to be necessary. I'd suggest installing some program such as tripwire at this point, regardless of what you do. Chances are if there is a backdoor and it gets used, files will be changed/added (little other reason to use a backdoor). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message