From owner-freebsd-security  Sun Aug 19 18:15:37 2001
Delivered-To: freebsd-security@freebsd.org
Received: from webs1.accretive-networks.net (webs1.accretive-networks.net [207.246.154.13])
	by hub.freebsd.org (Postfix) with ESMTP id 01C9A37B414
	for <freebsd-security@FreeBSD.ORG>; Sun, 19 Aug 2001 18:15:33 -0700 (PDT)
	(envelope-from davidk@accretivetg.com)
Received: from localhost (davidk@localhost)
	by webs1.accretive-networks.net (8.11.1/8.11.3) with ESMTP id f7K0AqJ61818;
	Sun, 19 Aug 2001 17:10:57 -0700 (PDT)
Date: Sun, 19 Aug 2001 17:10:52 -0700 (PDT)
From: David Kirchner <davidk@accretivetg.com>
X-X-Sender:  <davidk@localhost>
To: Rami AlZaid <lists@alzaid.com>
Cc: <freebsd-security@FreeBSD.ORG>
Subject: Re: Rooted
In-Reply-To: <5.1.0.14.2.20010819201719.02396ff0@mail.alzaid.com>
Message-ID: <20010819170743.S38221-100000@localhost>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Sun, 19 Aug 2001, Rami AlZaid wrote:

> At 12:26 AM 8/19/2001, you wrote:
> >You may also be backdoored; if you weren't running something like tripwire
> >to catch changes in your system files, you may want to go ahead and
> >re-install FreeBSD entirely. May not be necessary, but it shouldn't hurt.
>
> Would deleting /usr/src, cvsuping all the source, making world and
> replacing all the files in /usr/local/etc and /etc remove the backdoors? or
> is it necessary to wipe the hard disk and install everything all over again?
>
> Thanks

If you want to be very careful, wiping the disk would be necessary. A
backdoor could be anywhere, including in programs not part of the base
system (such as bash from ports). It depends on how paranoid you are
however. If you're not too worried, re-installing from a fresh cvsup would
probably be good enough. You can check to see what programs are running as
servers by running:

netstat -aAn | grep LISTEN
fstat | grep <hexcode from first column>

(example:
d29344e0 tcp        0      0  *.25               *.*                LISTEN
root     sendmail    6081    5* internet stream tcp d29344e0)

If you see anything weird there, you can track down where it came from and
try to re-install that if it turns out to be necessary.

I'd suggest installing some program such as tripwire at this point,
regardless of what you do. Chances are if there is a backdoor and it gets
used, files will be changed/added (little other reason to use a backdoor).


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message