Hacked?
Borja Marcos
borjamar at sarenet.es
Fri May 9 07:21:16 PDT 2003
On Friday, May 9, 2003, at 16:07 Europe/Madrid, Peter Elsner wrote:
> open("/dev/fd/.99/.ttyf00",0x0,0666) = 3 (0x3)
Look at this. This is a rootkit. What is this file? :-) Probably the
typical rootkit config file.
The "strings" command was good at this, but I have seen lately some
rootkits replacing the strings command. Truss seems to be safer, at
least for now.
> I'm not exactly sure what I'm looking at... Do you see anything out of
> the ordinary?
Yes, something like that :-)
If you "truss" commands like netstat, ps, etc, I am sure you will find
similar operations. Look for open system calls with weird filenames or
files in weird places, like above.
Borja.
More information about the freebsd-security
mailing list