Re: Adore worm

From: Don Sutter (drs@suntreeaz.com)
Date: 11/13/01 

From: "Don Sutter" <drs@suntreeaz.com>
To: "Stefan Probst" <stefan.probst@opticom.v-nam.net>
Date: Tue, 13 Nov 2001 11:03:01 -0700

Has anyone tried looking at:
http://www.sophos.com/virusinfo/analyses/linuxadore.html?

----- Original Message -----
From: "Stefan Probst" <stefan.probst@opticom.v-nam.net>
To: <freebsd-security@FreeBSD.ORG>
Cc: "Rob Hurle" <rob@coombs.anu.edu.au>
Sent: Tuesday, November 13, 2001 10:13 AM
Subject: Adore worm

> Good Evening,
>
> sorry for newbie-posting, but I don't have too much time
to sift through
> archives....
>
> Looks like my FreeBSD 4.2 Box (FreeBSD 4.2-RELEASE
(GENERIC)) got hit by a
> worm - or infested by purpose:
>
> I found a new directory /usr/lib/.fx/
> which contains all kind of stuff.
> One README file says:
> >%cat README
> > AdoreBSD 0.34 - Based off Linux Adore
by Stealth
> > Copyright (c) 2001
bind@gravitino.net
> >
> >Developed on FreeBSD 4.3-STABLE
> >
> >Installation:
> > # make; make load
> >
> >Features:
> > * hide file or directory from view
> > * make processes invisible
> > * hide promiscuous flag and syslog messages
> > * execute as root
> > * hide sysctl mib entries
> > * netstat service hiding
> > * authentication
> > * module hiding
>
> I can't use "ps" anymore ("cannot fork" or "segmentation
fault - core dumped").
> "rc.conf" was modified and three lines with "/bin/xterm"
added. I deleted
> this "xterm" program, since it was also created/modified
by the worm.
> "rc" itself shows the date of the infection, but I don't
know, what was done.
>
> Anything known? Any ideas what to do? Looking forward to
pointers....
> Rgds,
> Stefan
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the
message
>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Adore worm
    ... > * hide promiscuous flag and syslog messages ... > * netstat service hiding ... since it was also created/modified by the worm. ... with "unsubscribe freebsd-security" in the body of the message ...
    (FreeBSD-Security)
  • Re: Adore worm
    ... It's not a worm, unless it's part of a larger system, it is a backdoor. ... On Wed, 14 Nov 2001, Stefan Probst wrote: ... :> * netstat service hiding ... with "unsubscribe freebsd-security" in the body of the message ...
    (FreeBSD-Security)
  • RE: [Full-Disclosure] Re: new msblaster on the loose?
    ... If it exploits the same vulnerability, won't it be LESS effective since many people have been hit and thus patched their systems? ... Wouldn't an effective blaster variant find a different loophole? ... and the new variety may double this number. ... that this worm is any different than the first one in those cases, ...
    (Full-Disclosure)
  • Re: New version of SirCam ===w32Goner
    ... This mass mailing worm attempts to send itself using ... The worm copies itself into the WINDOWS SYSTEM folder ... Restart Windows in Safe Mode (reboot your computer, ... Type GONE.SCR and hit ENTER ...
    (Incidents)
  • Re: Worm hitting PHPbb2 Forums
    ... I got a message from a former employer about this worm ... yesterday- a box I had setup that had hardened php on it got hit hard by ... > Subject: Re: Worm hitting PHPbb2 Forums ... >> Just spotted two clients hit by this. ...
    (Incidents)
Quantcast