Hacked or not ?

From: RazorOnFreeBSD (yann.luppo_at_attglobal.net)
Date: 05/21/04

  • Next message: Peter C. Lai: "Re: Hacked or not ?" 
    To: <freebsd-security@freebsd.org>
Date: Fri, 21 May 2004 15:52:45 +0200

    Hi,

    I have a 4.9-STABLE FreeBSD box apparently hacked!
    Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs.
    Those are:
    chfn ... INFECTED
    chsh ... INFECTED
    date ... INFECTED
    ls ... INFECTED
    ps ... INFECTED

    But all the rest is NOT PROMISC, NOT INFECTED, NOTHING FOUND, NOTHING DELETED, or NOTHING DETECTED.
    I know by the FreeBSD-Security archives that chkrootkit isn't perfect with FreeBSD versions 5.x
    But I'm not in that case. So I'm a little bit afraid and as a newbie I don't really know what to do....
    I tried "truss ls" to find something strange and here are the outputs with something... suspicious for me:

    ioctl(1,TIOCGETA,0xbfbff534) = 0 (0x0)
    ioctl(1,TIOCGWINSZ,0xbfbff5a8) = 0 (0x0)
    getuid() = 0 (0x0)
    readlink("etc/malloc.conf",0xbfbff490,63) ERR#2 'No such file or directory' #SUSPICIOUS
    mmap(0x0,4096,0x3,0x1002,-1,0x0) = 671666176 (0x2808d000)
    break(0x809b000) = 0 (0x0)
    break(0x809c000) = 0 (0x0)
    break(0x809d000) = 0 (0x0)
    break(0x809e000) = 0 (0x0)
    ...........................................................................................and so on!

    And if I am an intrusion victim.... what can I do ? How can I restore those files? and how can I find out how this cracker did to break my firewall? I mean where is the security hole?
    PS: After verification on other commands declared not infected I found out this ERR#2 is common.... maybe I have another problem here!

    Thanks everyone!
    razor.
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: Peter C. Lai: "Re: Hacked or not ?"