Re: Hacked or not ?

From: M. Boelen (michael_at_computerpech.nl)
Date: 05/22/04

  • Next message: FreeBSD Security Advisories: "FreeBSD Security Advisory FreeBSD-SA-04:11.msync" 
    Date: Sat, 22 May 2004 11:13:22 +0200
To: RazorOnFreeBSD <yann.luppo@attglobal.net>

    Hi,

    Someone else did already told you about Rootkit Hunter, but forget to
    say you can install it from the FreeBSD Ports collection
    (/usr/ports/security/rkhunter) ;-)

    (it's has been added this month, so a lot of FreeBSD users don't know it
    yet)

    Michael Boelen
    Author of Rootkit Hunter

    >Hi,
    >
    >I have a 4.9-STABLE FreeBSD box apparently hacked!
    >Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs.
    >Those are:
    >chfn ... INFECTED
    >chsh ... INFECTED
    >date ... INFECTED
    >ls ... INFECTED
    >ps ... INFECTED
    >
    >But all the rest is NOT PROMISC, NOT INFECTED, NOTHING FOUND, NOTHING DELETED, or NOTHING DETECTED.
    >I know by the FreeBSD-Security archives that chkrootkit isn't perfect with FreeBSD versions 5.x
    >But I'm not in that case. So I'm a little bit afraid and as a newbie I don't really know what to do....
    >I tried "truss ls" to find something strange and here are the outputs with something... suspicious for me:
    >
    >ioctl(1,TIOCGETA,0xbfbff534) = 0 (0x0)
    >ioctl(1,TIOCGWINSZ,0xbfbff5a8) = 0 (0x0)
    >getuid() = 0 (0x0)
    >readlink("etc/malloc.conf",0xbfbff490,63) ERR#2 'No such file or directory' #SUSPICIOUS
    >mmap(0x0,4096,0x3,0x1002,-1,0x0) = 671666176 (0x2808d000)
    >break(0x809b000) = 0 (0x0)
    >break(0x809c000) = 0 (0x0)
    >break(0x809d000) = 0 (0x0)
    >break(0x809e000) = 0 (0x0)
    >...........................................................................................and so on!
    >
    >And if I am an intrusion victim.... what can I do ? How can I restore those files? and how can I find out how this cracker did to break my firewall? I mean where is the security hole?
    >PS: After verification on other commands declared not infected I found out this ERR#2 is common.... maybe I have another problem here!
    >
    >Thanks everyone!
    >razor.
    >_______________________________________________
    >freebsd-security@freebsd.org mailing list
    >http://lists.freebsd.org/mailman/listinfo/freebsd-security
    >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
    >
    >
    > 

    -- 
This is my mailbox. There are many like it but this one is mine.
My mailbox is my best friend. It is my life. I must master it as I
master my life.
My mailbox, without me is useless. Without my mailbox, I am useless.
I must empty my mailbox true. I must clean him before he gets full.
I will....
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
  • Next message: FreeBSD Security Advisories: "FreeBSD Security Advisory FreeBSD-SA-04:11.msync"