Re: Hacked?
From: Timothy R. Geier (tgeier_at_acsmail.com)
Date: 05/09/03
- Previous message: Peter Elsner: "Re: Hacked?"
- In reply to: Borja Marcos: "Re: Hacked?"
- Next in thread: Bjoern A. Zeeb: "Re: Hacked?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Peter Elsner <peter@servplex.com> Date: Fri, 9 May 2003 11:50:19 -0400
On Friday 09 May 2003 10:21, Borja Marcos wrote:
> On Friday, May 9, 2003, at 16:07 Europe/Madrid, Peter Elsner wrote:
> > open("/dev/fd/.99/.ttyf00",0x0,0666) = 3 (0x3)
>
> Look at this. This is a rootkit. What is this file? :-) Probably the
> typical rootkit config file.
>
> The "strings" command was good at this, but I have seen lately some
> rootkits replacing the strings command. Truss seems to be safer, at
> least for now.
>
> > I'm not exactly sure what I'm looking at... Do you see anything out of
> > the ordinary?
>
> Yes, something like that :-)
>
> If you "truss" commands like netstat, ps, etc, I am sure you will find
> similar operations. Look for open system calls with weird filenames or
> files in weird places, like above.
>
>
>
>
> Borja.
>
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
To add a few more thoughts to this, the most likely places for rootkit
configurations and possibly executables are hidden directories under /tmp,
/dev/, and /var/tmp. Of course, these are not the only possible places, but
they are the most popular.
Also, the use of nmap or another port scanner from a remote machine can
discover if the rootkit has left any backdoor ports open. Since you've
restored netstat, though, "netstat -l" should work just as well. After
determining if there are any backdoors, I would recommend removing the
compromised machine from any network(s) it is on and then performing a
detailed analysis, restoration, and hardening. An article on this process
can be found at http://www.securityfocus.com/infocus/1692.
-- Timothy R. Geier, Systems Administrator Advanced Communications Systems tgeier@acsmail.com
- application/pgp-signature attachment: signature
- Previous message: Peter Elsner: "Re: Hacked?"
- In reply to: Borja Marcos: "Re: Hacked?"
- Next in thread: Bjoern A. Zeeb: "Re: Hacked?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
