Re: Trojan injected in my Freebsd 4.1-RELEASE

From: Nickolay A.Kritsky (nkritsky@internethelp.ru)
Date: 08/01/01


Date: Wed, 1 Aug 2001 19:58:53 +0400
From: "Nickolay A.Kritsky" <nkritsky@internethelp.ru>
To: "Maximum" <m-a-x-i-m-u-m@mail.ru>

Hello Maximum,

Wednesday, August 01, 2001, 6:24:17 PM, you wrote:

M> Hi everybody,

M> today I've got security report from my FreeBSD box that some suid files changed. That was /usr/bin/netstat, /usr/bin/fstat and /usr/bin/quote.

M> Using chkproc programm from Nelson Murilo found at pangeia.com.br I found one stealth process. Running clean ps command i found ssh daemon sshd daemon named 'swapper' in process list. This daemon
M> is attached to 50505 port. Also i found directory with other hacker's scripts and one of them contained full list of changed binaries
M> that was : ps,ls,netstat,fstat,ldconfig and telnetd

Looks strange to me. The list of changed setuid binaries is not the
same,as in your security report. You should better check this out. How
do you know, that ps wasn't trojaned, when you ran it? I suggest you
to write a CD-R with the clean binaries you can need in your work,
mount it as ~/trash and add ~/tradh in your $PATH variable

M> Examining logs I had not found any records about visit of hacker. Wtmp was cleared 5 hours back from time of created hackers scripts.

M> I'm going not only remove this trojan from my box, but find from where attack was made and the way attack was made.

M> Now I wrote small script that will run clean netstat and grep from output any connections to 50505 port and telnet port. This scripth I had included in my crontab and cron runs it every minute.

M> This way I hope to find from where that man connects to me.

M> Do you have any other suggestions to help me find how hacker injected trojan ?

If the traffic to this box is not very large I would place some
sniffer between Internet and vulnerable box. Logging all packets can
help.

M> In one of shell script I'm talking about i found copyright mark "nrfbsdrk v0.1 by gREMLiNs".

Try running chkrootkit on it ( /usr/ports/security/chkrootkit ).

M> Thank you.

M> Maxim Sorokin

M> To Unsubscribe: send mail to majordomo@FreeBSD.org
M> with "unsubscribe freebsd-security" in the body of the message

Good luck

;-------------------------------------------
; NKritsky
; SysAdmin InternetHelp.Ru
; http://www.internethelp.ru
; mailto:nkritsky@internethelp.ru

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Re: sendmail startup scripts
    ... > To start everything running you need the listener to start all in the ... It's best not to edit the standard startup scripts because your edits ... to start up the daemon that listens for incoming mail. ... You can use a modified version of the standard sendmail initscript to ...
    (Fedora)
  • Re: PGP scripting...
    ... >> PGP with scripts (or even Java code), the scripts need access to both the ... would have to be that daemon. ...
    (SecProg)
  • 5.1 on a production box with some small problems (su, linux emu 7)
    ... only 2 small points witch are a pain and i found no solution. ... the scripts runs since 3.x, at least 4.x and was working up to 4.8. ... the pervasive sql server has a daemon ... option there is no listener ...
    (freebsd-current)
  • 5.1 on a production box with some small problems (su, linux emu 7)
    ... only 2 small points witch are a pain and i found no solution. ... the scripts runs since 3.x, at least 4.x and was working up to 4.8. ... the pervasive sql server has a daemon ... option there is no listener ...
    (freebsd-questions)
  • Re: cant rm...
    ... Leave /tmp alone! ... The OS will clean it up when it decides it's safe. ... As a former UNIX admin, ... Apple's own periodic cleaning scripts ...
    (comp.sys.mac.system)