Re: Hacked or not ?
Razor,
Download the source and recompile those binaries and see if chkrootkit
gives you the same 'INFECTED' messages.
Daniel M. Spielman
On Fri, 21 May 2004, RazorOnFreeBSD wrote:
> Hi,
>
> I have a 4.9-STABLE FreeBSD box apparently hacked!
> Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs.
> Those are:
> chfn ... INFECTED
> chsh ... INFECTED
> date ... INFECTED
> ls ... INFECTED
> ps ... INFECTED
>
> But all the rest is NOT PROMISC, NOT INFECTED, NOTHING FOUND, NOTHING DELETED, or NOTHING DETECTED.
> I know by the FreeBSD-Security archives that chkrootkit isn't perfect with FreeBSD versions 5.x
> But I'm not in that case. So I'm a little bit afraid and as a newbie I don't really know what to do....
> I tried "truss ls" to find something strange and here are the outputs with something... suspicious for me:
>
> ioctl(1,TIOCGETA,0xbfbff534) = 0 (0x0)
> ioctl(1,TIOCGWINSZ,0xbfbff5a8) = 0 (0x0)
> getuid() = 0 (0x0)
> readlink("etc/malloc.conf",0xbfbff490,63) ERR#2 'No such file or directory' #SUSPICIOUS
> mmap(0x0,4096,0x3,0x1002,-1,0x0) = 671666176 (0x2808d000)
> break(0x809b000) = 0 (0x0)
> break(0x809c000) = 0 (0x0)
> break(0x809d000) = 0 (0x0)
> break(0x809e000) = 0 (0x0)
> ...........................................................................................and so on!
>
> And if I am an intrusion victim.... what can I do ? How can I restore those files? and how can I find out how this cracker did to break my firewall? I mean where is the security hole?
> PS: After verification on other commands declared not infected I found out this ERR#2 is common.... maybe I have another problem here!
>
> Thanks everyone!
> razor.
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
>
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 8 之 17 篇):