Re: Hacked or not ?

From: azze (azze_at_bl0wf1sh.ath.cx)
Date: 05/21/04

  • Next message: RazorOnFreeBSD: "Re: Hacked or not ?"
    Date: Fri, 21 May 2004 22:12:23 +0200
    To: yann.luppo@attglobal.net
    
    

    maybe you sould

    - grep the 4.9-STABLE sources of chfn,chsh,date,ls,ps
      build it and diff/md5 the builded stuff
    - ktrace(dump) the (current)ls, etc. with the (fresh) cvs version (rev for 4.9-S)
    - just reinstall the system :)

    R> Hi,

    R> I have a 4.9-STABLE FreeBSD box apparently hacked!
    R> Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs.
    R> Those are:
    R> chfn ... INFECTED
    R> chsh ... INFECTED
    R> date ... INFECTED
    R> ls ... INFECTED
    R> ps ... INFECTED

    R> But all the rest is NOT PROMISC, NOT INFECTED, NOTHING FOUND, NOTHING DELETED, or NOTHING DETECTED.
    R> I know by the FreeBSD-Security archives that chkrootkit isn't perfect with FreeBSD versions 5.x
    R> But I'm not in that case. So I'm a little bit afraid and as a newbie I don't really know what to do....
    R> I tried "truss ls" to find something strange and here are the outputs with something... suspicious for me:

    R> ioctl(1,TIOCGETA,0xbfbff534) = 0 (0x0)
    R> ioctl(1,TIOCGWINSZ,0xbfbff5a8) = 0 (0x0)
    R> getuid() = 0 (0x0)
    R> readlink("etc/malloc.conf",0xbfbff490,63) ERR#2 'No such file or directory' #SUSPICIOUS
    R> mmap(0x0,4096,0x3,0x1002,-1,0x0) = 671666176 (0x2808d000)
    R> break(0x809b000) = 0 (0x0)
    R> break(0x809c000) = 0 (0x0)
    R> break(0x809d000) = 0 (0x0)
    R> break(0x809e000) = 0 (0x0)
    R> ...........................................................................................and so on!

    R> And if I am an intrusion victim.... what can I do ? How can I restore
    R> those files? and how can I find out how this cracker did to break my
    R> firewall? I mean where is the security hole?
    R> PS: After verification on other commands declared not infected I found
    R> out this ERR#2 is common.... maybe I have another problem here!

    R> Thanks everyone!
    R> razor.
    R> _______________________________________________
    R> freebsd-security@freebsd.org mailing list
    R> http://lists.freebsd.org/mailman/listinfo/freebsd-security
    R> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: RazorOnFreeBSD: "Re: Hacked or not ?"

    Relevant Pages

    • Re: Unable to install freebsd
      ... mess in my setup, reinstall was the only option, but we wont get into that ... Subject: Unable to install freebsd ... please attempt to install once again without choosing ... To unsubscribe, ...
      (freebsd-newbies)
    • RE: [Freebsd-security] Re: Possible compromise ?
      ... is that you reinstall. ... I was not able to install and setup FreeBSD by ... >> me to retrieve connection dates from that file. ...
      (FreeBSD-Security)
    • Re: optical mice
      ... :> Dear FreeBSD! ... I could live without a wheel, ... :> have experience with optical mice? ... To unsubscribe, ...
      (freebsd-stable)
    • Re: Crypto test removal request from Theo de Raadt
      ... It has now been deleted from the NetBSD tree as well. ... > Please delete it from the FreeBSD tree as well. ... > Content-Type: text/plain; ... > To unsubscribe, ...
      (freebsd-current)
    • Re: Hardware for NAS/NFS?
      ... USB 2.0 port, not as good as USB 3.0, but still much faster than network ... There are other NAS products out there, and I notice there is a tiny ... to be based on FreeBSD>= 10.0. ... To unsubscribe, ...
      (freebsd-questions)