Date: Sun, 19 Aug 2001 17:10:52 -0700 (PDT) From: David Kirchner <davidk@accretivetg.com> To: Rami AlZaid <lists@alzaid.com> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: Rooted Message-ID: <20010819170743.S38221-100000@localhost> In-Reply-To: <5.1.0.14.2.20010819201719.02396ff0@mail.alzaid.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 19 Aug 2001, Rami AlZaid wrote: > At 12:26 AM 8/19/2001, you wrote: > >You may also be backdoored; if you weren't running something like tripwire > >to catch changes in your system files, you may want to go ahead and > >re-install FreeBSD entirely. May not be necessary, but it shouldn't hurt. > > Would deleting /usr/src, cvsuping all the source, making world and > replacing all the files in /usr/local/etc and /etc remove the backdoors? or > is it necessary to wipe the hard disk and install everything all over again? > > Thanks If you want to be very careful, wiping the disk would be necessary. A backdoor could be anywhere, including in programs not part of the base system (such as bash from ports). It depends on how paranoid you are however. If you're not too worried, re-installing from a fresh cvsup would probably be good enough. You can check to see what programs are running as servers by running: netstat -aAn | grep LISTEN fstat | grep <hexcode from first column> (example: d29344e0 tcp 0 0 *.25 *.* LISTEN root sendmail 6081 5* internet stream tcp d29344e0) If you see anything weird there, you can track down where it came from and try to re-install that if it turns out to be necessary. I'd suggest installing some program such as tripwire at this point, regardless of what you do. Chances are if there is a backdoor and it gets used, files will be changed/added (little other reason to use a backdoor). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010819170743.S38221-100000>