Re: Adore worm

From: Rob Hurle (rob@coombs.anu.edu.au)
Date: 11/14/01 

Date: Wed, 14 Nov 2001 10:31:18 +1100 (EST)
From: Rob Hurle <rob@coombs.anu.edu.au>
To: Stefan Probst <stefan.probst@opticom.v-nam.net>

Hi Stefan,

> Looks like my FreeBSD 4.2 Box (FreeBSD 4.2-RELEASE (GENERIC)) got hit by a
> worm - or infested by purpose:
>
> I found a new directory /usr/lib/.fx/
> which contains all kind of stuff.
> One README file says:
> >%cat README
> > AdoreBSD 0.34 - Based off Linux Adore by Stealth
> > Copyright (c) 2001 bind@gravitino.net
> >
> >Developed on FreeBSD 4.3-STABLE
> >
> >Installation:
>....<snip>
> Anything known? Any ideas what to do? Looking forward to pointers....

This is a common one I think. I was hit by it a few weeks ago too. Not
sure if there's a safe way to undo the damage - in my case I had been
putting off the upgrade to 4.4 because of the usual laziness, and so I
just upgraded.

        A couple of pointers. I had noticed (by using `last`) a few pokes
at my system in the weeks prior to the attack (from somewhere with a *.de
domain name). The first thing the attack does is to delete everything in
/var/log so that you can not see what is going on. The `ps` that is
installed works on 4.3 (obviously not on 4.2) and hides some processes
from you. The /bin/xterm is activated at startup (the call is installed
in rc.conf), and a new telnetd is installed. I'm not sure what these
things do, but they may poo over everything - the best advice is what
others have said, re-install.

        As for how to avoid it, I'm not sure. telnetd had a problem, and
I seem to remember there was a security advisory on inetd before 4.4.
People advise ssh, but I notice that this particular attack also has a new
version of ssh to install, so I don't know about that. I've had a brief
look at ssh, but it needs some careful configuration. Firewalls are not
much help, because it starts with a legitimate request to telnetd or
inetd, and then crashes them.

        Sorry to be not of much help.

Cheers,

Rob
        -----------------------------------------------------
        Rob Hurle Tel: +61 2 6247 2397
        PO Box 13 Fax: +61 2 6247 2397
        Ainslie Cell phone: 0417 293 603
        Australia e-mail: rob@coombs.anu.edu.au
        -----------------------------------------------------

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: Updating ssh
    ... This reflects a common problem in FreeBSD. ... install, it usually goes into /usr/local, so the system keeps on using ... FreeBSD uses /etc/ssh for SSH configuration files, ... When I recently upgraded SSH on a few systems, ...
    (FreeBSD-Security)
  • Re: New FreeBSD installation
    ... getting FreeBSD to install on a new system. ... I have FreeBSD up and running now. ... it automatically installed Sendmail 8.13. ... Also, when I installed FreeBSD, I installed SSH. ...
    (freebsd-questions)
  • Re: Adore worm
    ... > version of ssh to install, so I don't know about that. ... To install a version of sshd that is not vulnerable to CRC attack ... To install a trojaned version of sshd that contains a backdoor allowing ...
    (FreeBSD-Security)
  • Re: Is Windows 98 SE More Secure Than OS X?
    ... I have to say that I have seen no evidence that having SSH access ... it was odd how the attack vector was never made public by ... copy of OS X and install it clean on a Mac. ... my firewall is a stock installation of OS X Server on a G3. ...
    (comp.sys.mac.advocacy)
  • Re: Questions
    ... >where can i get the best newb help? ... >does someone know a guide to just install the base os? ... >and any links for admining freebsd from ssh? ...
    (freebsd-questions)
Quantcast