[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Hacked or not ?



Thanks a lot everyone I have enough to work on ;)
You were really helpfull and for sure those who will use the mailing list
search function will appreciate too!

razor

----- Original Message ----- 
From: "M. Boelen" <michael_(_at_)_computerpech_(_dot_)_nl>
To: "RazorOnFreeBSD" <yann_(_dot_)_luppo_(_at_)_attglobal_(_dot_)_net>
Cc: <freebsd-security_(_at_)_freebsd_(_dot_)_org>
Sent: Saturday, May 22, 2004 11:13 AM
Subject: Re: Hacked or not ?


> Hi,
>
> Someone else did already told you about Rootkit Hunter, but forget to
> say you can install it from the FreeBSD Ports collection
> (/usr/ports/security/rkhunter) ;-)
>
> (it's has been added this month, so a lot of FreeBSD users don't know it
> yet)
>
> Michael Boelen
> Author of Rootkit Hunter
>
> >Hi,
> >
> >I have a 4.9-STABLE FreeBSD box apparently hacked!
> >Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs.
> >Those are:
> >chfn     ... INFECTED
> >chsh    ... INFECTED
> >date     ... INFECTED
> >ls         ... INFECTED
> >ps        ... INFECTED
> >
> >But all the rest is NOT PROMISC, NOT INFECTED, NOTHING FOUND, NOTHING
DELETED, or NOTHING DETECTED.
> >I know by the FreeBSD-Security archives that chkrootkit isn't perfect
with FreeBSD versions 5.x
> >But I'm not in that case. So I'm a little bit afraid and as a newbie I
don't really know what to do....
> >I tried "truss ls" to find something strange and here are the outputs
with something... suspicious for me:
> >
> >ioctl(1,TIOCGETA,0xbfbff534)                        = 0 (0x0)
> >ioctl(1,TIOCGWINSZ,0xbfbff5a8)                    = 0 (0x0)
> >getuid()                                                        = 0 (0x0)
> >readlink("etc/malloc.conf",0xbfbff490,63)        ERR#2 'No such file or
directory'         #SUSPICIOUS
> >mmap(0x0,4096,0x3,0x1002,-1,0x0)              = 671666176 (0x2808d000)
> >break(0x809b000)                                        = 0 (0x0)
> >break(0x809c000)                                        = 0 (0x0)
> >break(0x809d000)                                        = 0 (0x0)
> >break(0x809e000)                                        = 0 (0x0)
>
>...........................................................................
................and so on!
> >
> >And if I am an intrusion victim.... what can I do ? How can I restore
those files? and how can I find out how this cracker did to break my
firewall? I mean where is the security hole?
> >PS: After verification on other commands declared not infected I found
out this ERR#2 is common.... maybe I have another problem here!
> >
> >Thanks everyone!
> >razor.
> >_______________________________________________
> >freebsd-security_(_at_)_freebsd_(_dot_)_org mailing list
> >http://lists.freebsd.org/mailman/listinfo/freebsd-security
> >To unsubscribe, send any mail to
"freebsd-security-unsubscribe_(_at_)_freebsd_(_dot_)_org"
> >
> >
> >
>
>
> -- 
>
> This is my mailbox. There are many like it but this one is mine.
> My mailbox is my best friend. It is my life. I must master it as I
> master my life.
>
> My mailbox, without me is useless. Without my mailbox, I am useless.
> I must empty my mailbox true. I must clean him before he gets full.
> I will....
>