From owner-freebsd-security Fri Dec 1 19:38:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.sovintel.ru (ns.sovintel.ru [212.44.130.6]) by hub.freebsd.org (Postfix) with ESMTP id 4976337B400 for ; Fri, 1 Dec 2000 19:38:18 -0800 (PST) Received: from blackman.ru (p105.spb.sovintel.ru [213.221.48.105] (may be forged)) by ns.sovintel.ru (8.9.3/8.9.3) with ESMTP id GAA28566 for ; Sat, 2 Dec 2000 06:38:09 +0300 (MSK) Message-ID: <3A286EB4.50908@blackman.ru> Date: Sat, 02 Dec 2000 06:38:28 +0300 From: "Mr. Blackman" User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.16-22 i686; en-US; m18) Gecko/20001018 X-Accept-Language: ru, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: which ftpd (Imortant &etc) aka wold cry References: <200012010823.JAA24840@gilberto.physik.rwth-aachen.de> <20001201115339.G2185@nevermind.kiev.ua> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org (sorry if this is an offtopic) Nevermind wrote: > Hello, James Wyatt! > > >> > > I've been hacked few month ago with such kind of sht > using standard ftpd. Do you _know_ this was "standart ftpd"?:) I think, don't:) > ps ax | grep supa > also make fsck in single mode several times, then search for suspicious dirs in > /var/games, /var/*. > > This is hack based on loading kernel module This is a rootkit, not hack (vulnerability) :) > which prevents process name supa > to be killed > also try to find dir or/and file named "lohi". ^^^^ File "lohi" gives you a clue - this was a russian hackers (99%), so you can meet them, buy them a beer and ask: "Guys, how do u hacked my box, a?:)" It will be better, then flaming here. P.S> Sorry one more time. Blackman "Peace man" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message