Hacked?
Timothy R. Geier
tgeier at acsmail.com
Fri May 9 08:50:36 PDT 2003
On Friday 09 May 2003 10:21, Borja Marcos wrote:
> On Friday, May 9, 2003, at 16:07 Europe/Madrid, Peter Elsner wrote:
> > open("/dev/fd/.99/.ttyf00",0x0,0666) = 3 (0x3)
>
> Look at this. This is a rootkit. What is this file? :-) Probably the
> typical rootkit config file.
>
> The "strings" command was good at this, but I have seen lately some
> rootkits replacing the strings command. Truss seems to be safer, at
> least for now.
>
> > I'm not exactly sure what I'm looking at... Do you see anything out of
> > the ordinary?
>
> Yes, something like that :-)
>
> If you "truss" commands like netstat, ps, etc, I am sure you will find
> similar operations. Look for open system calls with weird filenames or
> files in weird places, like above.
>
>
>
>
> Borja.
>
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
To add a few more thoughts to this, the most likely places for rootkit
configurations and possibly executables are hidden directories under /tmp,
/dev/, and /var/tmp. Of course, these are not the only possible places, but
they are the most popular.
Also, the use of nmap or another port scanner from a remote machine can
discover if the rootkit has left any backdoor ports open. Since you've
restored netstat, though, "netstat -l" should work just as well. After
determining if there are any backdoors, I would recommend removing the
compromised machine from any network(s) it is on and then performing a
detailed analysis, restoration, and hardening. An article on this process
can be found at http://www.securityfocus.com/infocus/1692.
--
Timothy R. Geier, Systems Administrator
Advanced Communications Systems
tgeier at acsmail.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: signature
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20030509/05d54345/attachment.bin
More information about the freebsd-security
mailing list